Commit 993e9f8c authored by David Johnson's avatar David Johnson

Add support for privileged Docker containers.

parent e48155a7
...@@ -2957,6 +2957,20 @@ sub vnodeCreate($$$$) ...@@ -2957,6 +2957,20 @@ sub vnodeCreate($$$$)
$inreload = 1; $inreload = 1;
} }
#
# A quick sanity check to prevent privileged containers on shared
# nodes. The frontend protects us against this, but have to be
# sure.
#
my $privileged = 0;
if (exists($attributes->{'DOCKER_PRIVILEGED'})
&& $attributes->{'DOCKER_PRIVILEGED'} eq '1') {
if (SHAREDHOST()) {
fatal("vnodeCreate: cannot spawn privileged container on shared host!");
}
$privileged = 1;
}
# #
# Figure out where/what we're pulling, and a username/password if # Figure out where/what we're pulling, and a username/password if
# necessary. # necessary.
...@@ -3121,6 +3135,11 @@ sub vnodeCreate($$$$) ...@@ -3121,6 +3135,11 @@ sub vnodeCreate($$$$)
$args{'AttachStderr'} = JSON::PP::true; $args{'AttachStderr'} = JSON::PP::true;
$args{'OpenStdin'} = JSON::PP::true; $args{'OpenStdin'} = JSON::PP::true;
# Handle privileged containers. NB: we already checked the sharedhost case above.
if ($privileged) {
$args{"HostConfig"}{"Privileged"} = JSON::PP::true;
}
my @hostspairs = (); my @hostspairs = ();
genhostspairlist($vnode_id,\@hostspairs); genhostspairlist($vnode_id,\@hostspairs);
if (@hostspairs) { if (@hostspairs) {
......
...@@ -2296,6 +2296,21 @@ sub GetTicketAuxAux($) ...@@ -2296,6 +2296,21 @@ sub GetTicketAuxAux($)
$attrkey = "DOCKER_ENV"; $attrkey = "DOCKER_ENV";
#$attrvalue = DBQuoteSpecial($attrvalue); #$attrvalue = DBQuoteSpecial($attrvalue);
} }
elsif ($setting eq "privileged") {
$attrkey = "DOCKER_PRIVILEGED";
if ($attrvalue eq '1' || $attrvalue =~ /^true$/i) {
if ($isshared) {
$response = GeniResponse->Create(
GENIRESPONSE_BADARGS, undef,
"Shared containers cannot be privileged");
goto bad;
}
$attrvalue = "1";
}
else {
$attrvalue = "0";
}
}
else { else {
next; next;
} }
......
...@@ -1294,6 +1294,9 @@ sub GetDockerSettings($) ...@@ -1294,6 +1294,9 @@ sub GetDockerSettings($)
$tmp = GetText("env", $settings); $tmp = GetText("env", $settings);
$result->{"env"} = $tmp $result->{"env"} = $tmp
if (defined($tmp)); if (defined($tmp));
$tmp = GetText("privileged", $settings);
$result->{"privileged"} = $tmp
if (defined($tmp));
return $result; return $result;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment