1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Merge pull request #31715 from anusha-ragunathan/ipc-host

Add support in plugin config for accessing host ipc and pid namespace.
This commit is contained in:
Tibor Vass 2017-03-22 14:17:21 -07:00 committed by GitHub
commit 0caced4644
5 changed files with 52 additions and 0 deletions

View file

@ -1448,11 +1448,17 @@ definitions:
- WorkDir - WorkDir
- Network - Network
- Linux - Linux
- PidHost
- PropagatedMount - PropagatedMount
- IpcHost
- Mounts - Mounts
- Env - Env
- Args - Args
properties: properties:
DockerVersion:
description: "Docker Version used to create the plugin"
type: "string"
x-nullable: false
Description: Description:
type: "string" type: "string"
x-nullable: false x-nullable: false
@ -1516,6 +1522,12 @@ definitions:
PropagatedMount: PropagatedMount:
type: "string" type: "string"
x-nullable: false x-nullable: false
IpcHost:
type: "boolean"
x-nullable: false
PidHost:
type: "boolean"
x-nullable: false
Mounts: Mounts:
type: "array" type: "array"
items: items:

View file

@ -42,6 +42,9 @@ type PluginConfig struct {
// Required: true // Required: true
Description string `json:"Description"` Description string `json:"Description"`
// Docker Version used to create the plugin
DockerVersion string `json:"DockerVersion,omitempty"`
// documentation // documentation
// Required: true // Required: true
Documentation string `json:"Documentation"` Documentation string `json:"Documentation"`
@ -58,6 +61,10 @@ type PluginConfig struct {
// Required: true // Required: true
Interface PluginConfigInterface `json:"Interface"` Interface PluginConfigInterface `json:"Interface"`
// ipc host
// Required: true
IpcHost bool `json:"IpcHost"`
// linux // linux
// Required: true // Required: true
Linux PluginConfigLinux `json:"Linux"` Linux PluginConfigLinux `json:"Linux"`
@ -70,6 +77,10 @@ type PluginConfig struct {
// Required: true // Required: true
Network PluginConfigNetwork `json:"Network"` Network PluginConfigNetwork `json:"Network"`
// pid host
// Required: true
PidHost bool `json:"PidHost"`
// propagated mount // propagated mount
// Required: true // Required: true
PropagatedMount string `json:"PropagatedMount"` PropagatedMount string `json:"PropagatedMount"`

View file

@ -115,6 +115,11 @@ Config provides the base accessible fields for working with V0 plugin format
options of the mount. options of the mount.
- **`ipchost`** *boolean*
Access to host ipc namespace.
- **`pidhost`** *boolean*
Access to host pid namespace.
- **`propagatedMount`** *string* - **`propagatedMount`** *string*
path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins. path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins.

View file

@ -24,6 +24,7 @@ import (
"github.com/docker/docker/distribution" "github.com/docker/docker/distribution"
progressutils "github.com/docker/docker/distribution/utils" progressutils "github.com/docker/docker/distribution/utils"
"github.com/docker/docker/distribution/xfer" "github.com/docker/docker/distribution/xfer"
"github.com/docker/docker/dockerversion"
"github.com/docker/docker/image" "github.com/docker/docker/image"
"github.com/docker/docker/layer" "github.com/docker/docker/layer"
"github.com/docker/docker/pkg/chrootarchive" "github.com/docker/docker/pkg/chrootarchive"
@ -150,6 +151,20 @@ func computePrivileges(c types.PluginConfig) (types.PluginPrivileges, error) {
Value: []string{c.Network.Type}, Value: []string{c.Network.Type},
}) })
} }
if c.IpcHost {
privileges = append(privileges, types.PluginPrivilege{
Name: "host ipc namespace",
Description: "allow access to host ipc namespace",
Value: []string{"true"},
})
}
if c.PidHost {
privileges = append(privileges, types.PluginPrivilege{
Name: "host pid namespace",
Description: "allow access to host pid namespace",
Value: []string{"true"},
})
}
for _, mount := range c.Mounts { for _, mount := range c.Mounts {
if mount.Source != nil { if mount.Source != nil {
privileges = append(privileges, types.PluginPrivilege{ privileges = append(privileges, types.PluginPrivilege{
@ -744,6 +759,8 @@ func (pm *Manager) CreateFromContext(ctx context.Context, tarCtx io.ReadCloser,
DiffIds: []string{layerDigester.Digest().String()}, DiffIds: []string{layerDigester.Digest().String()},
} }
config.DockerVersion = dockerversion.Version
configBlob, err := pm.blobStore.New() configBlob, err := pm.blobStore.New()
if err != nil { if err != nil {
return err return err

View file

@ -60,6 +60,13 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
Options: []string{"rbind", "ro"}, Options: []string{"rbind", "ro"},
}) })
} }
if p.PluginObj.Config.PidHost {
oci.RemoveNamespace(&s, specs.NamespaceType("pid"))
}
if p.PluginObj.Config.IpcHost {
oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))
}
for _, mnt := range mounts { for _, mnt := range mounts {
m := specs.Mount{ m := specs.Mount{