diff --git a/api/swagger.yaml b/api/swagger.yaml index 91a1d7c1d9..bf76d8b50c 100644 --- a/api/swagger.yaml +++ b/api/swagger.yaml @@ -1448,11 +1448,17 @@ definitions: - WorkDir - Network - Linux + - PidHost - PropagatedMount + - IpcHost - Mounts - Env - Args properties: + DockerVersion: + description: "Docker Version used to create the plugin" + type: "string" + x-nullable: false Description: type: "string" x-nullable: false @@ -1516,6 +1522,12 @@ definitions: PropagatedMount: type: "string" x-nullable: false + IpcHost: + type: "boolean" + x-nullable: false + PidHost: + type: "boolean" + x-nullable: false Mounts: type: "array" items: diff --git a/api/types/plugin.go b/api/types/plugin.go index 6cc7a23b02..ed3c2c26e4 100644 --- a/api/types/plugin.go +++ b/api/types/plugin.go @@ -42,6 +42,9 @@ type PluginConfig struct { // Required: true Description string `json:"Description"` + // Docker Version used to create the plugin + DockerVersion string `json:"DockerVersion,omitempty"` + // documentation // Required: true Documentation string `json:"Documentation"` @@ -58,6 +61,10 @@ type PluginConfig struct { // Required: true Interface PluginConfigInterface `json:"Interface"` + // ipc host + // Required: true + IpcHost bool `json:"IpcHost"` + // linux // Required: true Linux PluginConfigLinux `json:"Linux"` @@ -70,6 +77,10 @@ type PluginConfig struct { // Required: true Network PluginConfigNetwork `json:"Network"` + // pid host + // Required: true + PidHost bool `json:"PidHost"` + // propagated mount // Required: true PropagatedMount string `json:"PropagatedMount"` diff --git a/docs/extend/config.md b/docs/extend/config.md index dab755d97b..ad43e898c7 100644 --- a/docs/extend/config.md +++ b/docs/extend/config.md @@ -115,6 +115,11 @@ Config provides the base accessible fields for working with V0 plugin format options of the mount. +- **`ipchost`** *boolean* + Access to host ipc namespace. +- **`pidhost`** *boolean* + Access to host pid namespace. + - **`propagatedMount`** *string* path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins. diff --git a/plugin/backend_linux.go b/plugin/backend_linux.go index 380d0ddaff..8924daa996 100644 --- a/plugin/backend_linux.go +++ b/plugin/backend_linux.go @@ -24,6 +24,7 @@ import ( "github.com/docker/docker/distribution" progressutils "github.com/docker/docker/distribution/utils" "github.com/docker/docker/distribution/xfer" + "github.com/docker/docker/dockerversion" "github.com/docker/docker/image" "github.com/docker/docker/layer" "github.com/docker/docker/pkg/chrootarchive" @@ -150,6 +151,20 @@ func computePrivileges(c types.PluginConfig) (types.PluginPrivileges, error) { Value: []string{c.Network.Type}, }) } + if c.IpcHost { + privileges = append(privileges, types.PluginPrivilege{ + Name: "host ipc namespace", + Description: "allow access to host ipc namespace", + Value: []string{"true"}, + }) + } + if c.PidHost { + privileges = append(privileges, types.PluginPrivilege{ + Name: "host pid namespace", + Description: "allow access to host pid namespace", + Value: []string{"true"}, + }) + } for _, mount := range c.Mounts { if mount.Source != nil { privileges = append(privileges, types.PluginPrivilege{ @@ -744,6 +759,8 @@ func (pm *Manager) CreateFromContext(ctx context.Context, tarCtx io.ReadCloser, DiffIds: []string{layerDigester.Digest().String()}, } + config.DockerVersion = dockerversion.Version + configBlob, err := pm.blobStore.New() if err != nil { return err diff --git a/plugin/v2/plugin_linux.go b/plugin/v2/plugin_linux.go index e980e7f29a..6da63b3b6f 100644 --- a/plugin/v2/plugin_linux.go +++ b/plugin/v2/plugin_linux.go @@ -60,6 +60,13 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) { Options: []string{"rbind", "ro"}, }) } + if p.PluginObj.Config.PidHost { + oci.RemoveNamespace(&s, specs.NamespaceType("pid")) + } + + if p.PluginObj.Config.IpcHost { + oci.RemoveNamespace(&s, specs.NamespaceType("ipc")) + } for _, mnt := range mounts { m := specs.Mount{