Add support in plugin config for accessing host ipc namespace.

Plugins might need access to host ipc namespace. A good usecase is a volume plugin running iscsi multipath commands that need access to host kernel locks. Tested with a custom plugin (aragunathan/global-net-plugin-full) that's built with `"ipchost" : true` in config.json. Observed using `readlink /proc/self/ns/ipc` that plugin and host have the same ns. Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
2022-11-09 12:21:53 -05:00 · 2017-03-07 18:26:09 -08:00 · 2017-03-07 18:26:09 -08:00 · 6d6185c257
commit 6d6185c257
parent fd3aef5ec2
5 changed files with 22 additions and 0 deletions
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
@ -1446,6 +1446,7 @@ definitions:
          - Network
          - Linux
          - PropagatedMount
+          - IpcHost
          - Mounts
          - Env
          - Args
@ -1513,6 +1514,9 @@ definitions:
          PropagatedMount:
            type: "string"
            x-nullable: false
+          IpcHost:
+            type: "boolean"
+            x-nullable: false
          Mounts:
            type: "array"
            items:
--- a/api/types/plugin.go
+++ b/api/types/plugin.go
@ -58,6 +58,10 @@ type PluginConfig struct {
 	// Required: true
 	Interface PluginConfigInterface `json:"Interface"`

+	// ipc host
+	// Required: true
+	IpcHost bool `json:"IpcHost"`
+
 	// linux
 	// Required: true
 	Linux PluginConfigLinux `json:"Linux"`
--- a/docs/extend/config.md
+++ b/docs/extend/config.md
@ -115,6 +115,9 @@ Config provides the base accessible fields for working with V0 plugin format

 	  options of the mount.

+- **`ipchost`** *boolean*
+   Access to host ipc namespace.
+
 - **`propagatedMount`** *string*

   path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins.
--- a/plugin/backend_linux.go
+++ b/plugin/backend_linux.go
@ -150,6 +150,13 @@ func computePrivileges(c types.PluginConfig) (types.PluginPrivileges, error) {
 			Value:       []string{c.Network.Type},
 		})
 	}
+	if c.IpcHost {
+		privileges = append(privileges, types.PluginPrivilege{
+			Name:        "host ipc namespace",
+			Description: "allow access to host ipc namespace",
+			Value:       []string{"true"},
+		})
+	}
 	for _, mount := range c.Mounts {
 		if mount.Source != nil {
 			privileges = append(privileges, types.PluginPrivilege{
--- a/plugin/v2/plugin_linux.go
+++ b/plugin/v2/plugin_linux.go
@ -61,6 +61,10 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
 			})
 	}

+	if p.PluginObj.Config.IpcHost {
+		oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))
+	}
+
 	for _, mnt := range mounts {
 		m := specs.Mount{
 			Destination: mnt.Destination,