Ambiguous syntax of security options

[tomgehrmann]

Is this a docs issue?

• My issue is about the documentation content or website

Type of issue

I can't find what I'm looking for

Description

The documentation regarding the syntax of security options in general, and no-new-privileges in particular, is confusing.

Every option in the CLI run security-opt reference (also the compose service reference) has the syntax "some_option=value", because of which it can be assumed to be the general syntax. However, the last example in the CLI run security-opt reference breaks with this assumption, as just --security-opt no-new-privileges is also acceptable (which is also used on the man page).

Additionally, the compose spec on GitHub differs from the version on the Docker website: "label:user:USER".

Manual testing of no-new-privileges inside the container (using capsh, Docker Community, containerd) reveals that all of the following syntaxes are accepted:

• "no-new-privileges=true"
• "no-new-privileges"
• "no-new-privileges:true"

Location

https://docs.docker.com/reference/cli/docker/container/run/#security-opt

Suggestion

Document the syntax explicitly (or link to if documented elsewhere)

[dvdksn]

Triaged: UPSTREAM — the --security-opt flag description is in vendored CLI reference data (data/cli/engine/docker_run.yaml) sourced from docker/cli; the fix needs to go upstream to docker/cli where the YAML and example documentation for security-opt are authored.