Add pid host support

Tested using global-net-plugin-ipc which sets PidHost in config.json. Plugins might need access to host pid namespace. Add support for that. Tested using aragunathan/global-net-plugin-ipc which sets "pidhost" in config.json. Observed using `readlink /proc/self/ns/pid` that plugin and host have the same ns. Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
2022-11-09 12:21:53 -05:00 · 2017-03-10 14:17:24 -08:00 · 2017-03-10 14:17:24 -08:00 · 4d1edcb2cc
commit 4d1edcb2cc
parent 6d6185c257
5 changed files with 20 additions and 0 deletions
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
@ -1445,6 +1445,7 @@ definitions:
          - WorkDir
          - Network
          - Linux
+          - PidHost
          - PropagatedMount
          - IpcHost
          - Mounts
@ -1517,6 +1518,9 @@ definitions:
          IpcHost:
            type: "boolean"
            x-nullable: false
+          PidHost:
+            type: "boolean"
+            x-nullable: false
          Mounts:
            type: "array"
            items:
--- a/api/types/plugin.go
+++ b/api/types/plugin.go
@ -74,6 +74,10 @@ type PluginConfig struct {
 	// Required: true
 	Network PluginConfigNetwork `json:"Network"`

+	// pid host
+	// Required: true
+	PidHost bool `json:"PidHost"`
+
 	// propagated mount
 	// Required: true
 	PropagatedMount string `json:"PropagatedMount"`
--- a/docs/extend/config.md
+++ b/docs/extend/config.md
@ -117,6 +117,8 @@ Config provides the base accessible fields for working with V0 plugin format

 - **`ipchost`** *boolean*
   Access to host ipc namespace.
+- **`pidhost`** *boolean*
+   Access to host pid namespace.

 - **`propagatedMount`** *string*

--- a/plugin/backend_linux.go
+++ b/plugin/backend_linux.go
@ -157,6 +157,13 @@ func computePrivileges(c types.PluginConfig) (types.PluginPrivileges, error) {
 			Value:       []string{"true"},
 		})
 	}
+	if c.PidHost {
+		privileges = append(privileges, types.PluginPrivilege{
+			Name:        "host pid namespace",
+			Description: "allow access to host pid namespace",
+			Value:       []string{"true"},
+		})
+	}
 	for _, mount := range c.Mounts {
 		if mount.Source != nil {
 			privileges = append(privileges, types.PluginPrivilege{
--- a/plugin/v2/plugin_linux.go
+++ b/plugin/v2/plugin_linux.go
@ -60,6 +60,9 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
 				Options:     []string{"rbind", "ro"},
 			})
 	}
+	if p.PluginObj.Config.PidHost {
+		oci.RemoveNamespace(&s, specs.NamespaceType("pid"))
+	}

 	if p.PluginObj.Config.IpcHost {
 		oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))