mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Merge pull request #31715 from anusha-ragunathan/ipc-host
Add support in plugin config for accessing host ipc and pid namespace.
This commit is contained in:
commit
0caced4644
5 changed files with 52 additions and 0 deletions
|
@ -1448,11 +1448,17 @@ definitions:
|
||||||
- WorkDir
|
- WorkDir
|
||||||
- Network
|
- Network
|
||||||
- Linux
|
- Linux
|
||||||
|
- PidHost
|
||||||
- PropagatedMount
|
- PropagatedMount
|
||||||
|
- IpcHost
|
||||||
- Mounts
|
- Mounts
|
||||||
- Env
|
- Env
|
||||||
- Args
|
- Args
|
||||||
properties:
|
properties:
|
||||||
|
DockerVersion:
|
||||||
|
description: "Docker Version used to create the plugin"
|
||||||
|
type: "string"
|
||||||
|
x-nullable: false
|
||||||
Description:
|
Description:
|
||||||
type: "string"
|
type: "string"
|
||||||
x-nullable: false
|
x-nullable: false
|
||||||
|
@ -1516,6 +1522,12 @@ definitions:
|
||||||
PropagatedMount:
|
PropagatedMount:
|
||||||
type: "string"
|
type: "string"
|
||||||
x-nullable: false
|
x-nullable: false
|
||||||
|
IpcHost:
|
||||||
|
type: "boolean"
|
||||||
|
x-nullable: false
|
||||||
|
PidHost:
|
||||||
|
type: "boolean"
|
||||||
|
x-nullable: false
|
||||||
Mounts:
|
Mounts:
|
||||||
type: "array"
|
type: "array"
|
||||||
items:
|
items:
|
||||||
|
|
|
@ -42,6 +42,9 @@ type PluginConfig struct {
|
||||||
// Required: true
|
// Required: true
|
||||||
Description string `json:"Description"`
|
Description string `json:"Description"`
|
||||||
|
|
||||||
|
// Docker Version used to create the plugin
|
||||||
|
DockerVersion string `json:"DockerVersion,omitempty"`
|
||||||
|
|
||||||
// documentation
|
// documentation
|
||||||
// Required: true
|
// Required: true
|
||||||
Documentation string `json:"Documentation"`
|
Documentation string `json:"Documentation"`
|
||||||
|
@ -58,6 +61,10 @@ type PluginConfig struct {
|
||||||
// Required: true
|
// Required: true
|
||||||
Interface PluginConfigInterface `json:"Interface"`
|
Interface PluginConfigInterface `json:"Interface"`
|
||||||
|
|
||||||
|
// ipc host
|
||||||
|
// Required: true
|
||||||
|
IpcHost bool `json:"IpcHost"`
|
||||||
|
|
||||||
// linux
|
// linux
|
||||||
// Required: true
|
// Required: true
|
||||||
Linux PluginConfigLinux `json:"Linux"`
|
Linux PluginConfigLinux `json:"Linux"`
|
||||||
|
@ -70,6 +77,10 @@ type PluginConfig struct {
|
||||||
// Required: true
|
// Required: true
|
||||||
Network PluginConfigNetwork `json:"Network"`
|
Network PluginConfigNetwork `json:"Network"`
|
||||||
|
|
||||||
|
// pid host
|
||||||
|
// Required: true
|
||||||
|
PidHost bool `json:"PidHost"`
|
||||||
|
|
||||||
// propagated mount
|
// propagated mount
|
||||||
// Required: true
|
// Required: true
|
||||||
PropagatedMount string `json:"PropagatedMount"`
|
PropagatedMount string `json:"PropagatedMount"`
|
||||||
|
|
|
@ -115,6 +115,11 @@ Config provides the base accessible fields for working with V0 plugin format
|
||||||
|
|
||||||
options of the mount.
|
options of the mount.
|
||||||
|
|
||||||
|
- **`ipchost`** *boolean*
|
||||||
|
Access to host ipc namespace.
|
||||||
|
- **`pidhost`** *boolean*
|
||||||
|
Access to host pid namespace.
|
||||||
|
|
||||||
- **`propagatedMount`** *string*
|
- **`propagatedMount`** *string*
|
||||||
|
|
||||||
path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins.
|
path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins.
|
||||||
|
|
|
@ -24,6 +24,7 @@ import (
|
||||||
"github.com/docker/docker/distribution"
|
"github.com/docker/docker/distribution"
|
||||||
progressutils "github.com/docker/docker/distribution/utils"
|
progressutils "github.com/docker/docker/distribution/utils"
|
||||||
"github.com/docker/docker/distribution/xfer"
|
"github.com/docker/docker/distribution/xfer"
|
||||||
|
"github.com/docker/docker/dockerversion"
|
||||||
"github.com/docker/docker/image"
|
"github.com/docker/docker/image"
|
||||||
"github.com/docker/docker/layer"
|
"github.com/docker/docker/layer"
|
||||||
"github.com/docker/docker/pkg/chrootarchive"
|
"github.com/docker/docker/pkg/chrootarchive"
|
||||||
|
@ -150,6 +151,20 @@ func computePrivileges(c types.PluginConfig) (types.PluginPrivileges, error) {
|
||||||
Value: []string{c.Network.Type},
|
Value: []string{c.Network.Type},
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
if c.IpcHost {
|
||||||
|
privileges = append(privileges, types.PluginPrivilege{
|
||||||
|
Name: "host ipc namespace",
|
||||||
|
Description: "allow access to host ipc namespace",
|
||||||
|
Value: []string{"true"},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
if c.PidHost {
|
||||||
|
privileges = append(privileges, types.PluginPrivilege{
|
||||||
|
Name: "host pid namespace",
|
||||||
|
Description: "allow access to host pid namespace",
|
||||||
|
Value: []string{"true"},
|
||||||
|
})
|
||||||
|
}
|
||||||
for _, mount := range c.Mounts {
|
for _, mount := range c.Mounts {
|
||||||
if mount.Source != nil {
|
if mount.Source != nil {
|
||||||
privileges = append(privileges, types.PluginPrivilege{
|
privileges = append(privileges, types.PluginPrivilege{
|
||||||
|
@ -744,6 +759,8 @@ func (pm *Manager) CreateFromContext(ctx context.Context, tarCtx io.ReadCloser,
|
||||||
DiffIds: []string{layerDigester.Digest().String()},
|
DiffIds: []string{layerDigester.Digest().String()},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
config.DockerVersion = dockerversion.Version
|
||||||
|
|
||||||
configBlob, err := pm.blobStore.New()
|
configBlob, err := pm.blobStore.New()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
|
@ -60,6 +60,13 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
|
||||||
Options: []string{"rbind", "ro"},
|
Options: []string{"rbind", "ro"},
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
if p.PluginObj.Config.PidHost {
|
||||||
|
oci.RemoveNamespace(&s, specs.NamespaceType("pid"))
|
||||||
|
}
|
||||||
|
|
||||||
|
if p.PluginObj.Config.IpcHost {
|
||||||
|
oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))
|
||||||
|
}
|
||||||
|
|
||||||
for _, mnt := range mounts {
|
for _, mnt := range mounts {
|
||||||
m := specs.Mount{
|
m := specs.Mount{
|
||||||
|
|
Loading…
Add table
Reference in a new issue