From 6d6185c2577c473fa9046d73a850c09a254e9a81 Mon Sep 17 00:00:00 2001
From: Anusha Ragunathan <anusha.ragunathan@docker.com>
Date: Tue, 7 Mar 2017 18:26:09 -0800
Subject: [PATCH] Add support in plugin config for accessing host ipc
 namespace.

Plugins might need access to host ipc namespace. A good usecase is
a volume plugin running iscsi multipath commands that need access to
host kernel locks.
Tested with a custom plugin (aragunathan/global-net-plugin-full) that's
built with `"ipchost" : true` in config.json. Observed using
`readlink /proc/self/ns/ipc` that plugin and host have the same ns.

Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
---
 api/swagger.yaml          | 4 ++++
 api/types/plugin.go       | 4 ++++
 docs/extend/config.md     | 3 +++
 plugin/backend_linux.go   | 7 +++++++
 plugin/v2/plugin_linux.go | 4 ++++
 5 files changed, 22 insertions(+)

diff --git a/api/swagger.yaml b/api/swagger.yaml
index be71e0ffa3..254042115a 100644
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
@@ -1446,6 +1446,7 @@ definitions:
           - Network
           - Linux
           - PropagatedMount
+          - IpcHost
           - Mounts
           - Env
           - Args
@@ -1513,6 +1514,9 @@ definitions:
           PropagatedMount:
             type: "string"
             x-nullable: false
+          IpcHost:
+            type: "boolean"
+            x-nullable: false
           Mounts:
             type: "array"
             items:
diff --git a/api/types/plugin.go b/api/types/plugin.go
index 6cc7a23b02..ecd45b4a0a 100644
--- a/api/types/plugin.go
+++ b/api/types/plugin.go
@@ -58,6 +58,10 @@ type PluginConfig struct {
 	// Required: true
 	Interface PluginConfigInterface `json:"Interface"`
 
+	// ipc host
+	// Required: true
+	IpcHost bool `json:"IpcHost"`
+
 	// linux
 	// Required: true
 	Linux PluginConfigLinux `json:"Linux"`
diff --git a/docs/extend/config.md b/docs/extend/config.md
index dab755d97b..3fc377f76c 100644
--- a/docs/extend/config.md
+++ b/docs/extend/config.md
@@ -115,6 +115,9 @@ Config provides the base accessible fields for working with V0 plugin format
 
 	  options of the mount.
 
+- **`ipchost`** *boolean*
+   Access to host ipc namespace.
+
 - **`propagatedMount`** *string*
 
    path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins.
diff --git a/plugin/backend_linux.go b/plugin/backend_linux.go
index 380d0ddaff..586ff73dd2 100644
--- a/plugin/backend_linux.go
+++ b/plugin/backend_linux.go
@@ -150,6 +150,13 @@ func computePrivileges(c types.PluginConfig) (types.PluginPrivileges, error) {
 			Value:       []string{c.Network.Type},
 		})
 	}
+	if c.IpcHost {
+		privileges = append(privileges, types.PluginPrivilege{
+			Name:        "host ipc namespace",
+			Description: "allow access to host ipc namespace",
+			Value:       []string{"true"},
+		})
+	}
 	for _, mount := range c.Mounts {
 		if mount.Source != nil {
 			privileges = append(privileges, types.PluginPrivilege{
diff --git a/plugin/v2/plugin_linux.go b/plugin/v2/plugin_linux.go
index e980e7f29a..d02716d63b 100644
--- a/plugin/v2/plugin_linux.go
+++ b/plugin/v2/plugin_linux.go
@@ -61,6 +61,10 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
 			})
 	}
 
+	if p.PluginObj.Config.IpcHost {
+		oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))
+	}
+
 	for _, mnt := range mounts {
 		m := specs.Mount{
 			Destination: mnt.Destination,