Commit 993e9f8c authored by David Johnson's avatar David Johnson

Add support for privileged Docker containers.

parent e48155a7
......@@ -2957,6 +2957,20 @@ sub vnodeCreate($$$$)
$inreload = 1;
}
#
# A quick sanity check to prevent privileged containers on shared
# nodes. The frontend protects us against this, but have to be
# sure.
#
my $privileged = 0;
if (exists($attributes->{'DOCKER_PRIVILEGED'})
&& $attributes->{'DOCKER_PRIVILEGED'} eq '1') {
if (SHAREDHOST()) {
fatal("vnodeCreate: cannot spawn privileged container on shared host!");
}
$privileged = 1;
}
#
# Figure out where/what we're pulling, and a username/password if
# necessary.
......@@ -3121,6 +3135,11 @@ sub vnodeCreate($$$$)
$args{'AttachStderr'} = JSON::PP::true;
$args{'OpenStdin'} = JSON::PP::true;
# Handle privileged containers. NB: we already checked the sharedhost case above.
if ($privileged) {
$args{"HostConfig"}{"Privileged"} = JSON::PP::true;
}
my @hostspairs = ();
genhostspairlist($vnode_id,\@hostspairs);
if (@hostspairs) {
......
......@@ -2296,6 +2296,21 @@ sub GetTicketAuxAux($)
$attrkey = "DOCKER_ENV";
#$attrvalue = DBQuoteSpecial($attrvalue);
}
elsif ($setting eq "privileged") {
$attrkey = "DOCKER_PRIVILEGED";
if ($attrvalue eq '1' || $attrvalue =~ /^true$/i) {
if ($isshared) {
$response = GeniResponse->Create(
GENIRESPONSE_BADARGS, undef,
"Shared containers cannot be privileged");
goto bad;
}
$attrvalue = "1";
}
else {
$attrvalue = "0";
}
}
else {
next;
}
......
......@@ -1294,6 +1294,9 @@ sub GetDockerSettings($)
$tmp = GetText("env", $settings);
$result->{"env"} = $tmp
if (defined($tmp));
$tmp = GetText("privileged", $settings);
$result->{"privileged"} = $tmp
if (defined($tmp));
return $result;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment