kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Add support in plugin config for accessing host ipc namespace.

Browse source 
Plugins might need access to host ipc namespace. A good usecase is
a volume plugin running iscsi multipath commands that need access to
host kernel locks.
Tested with a custom plugin (aragunathan/global-net-plugin-full) that's
built with `"ipchost" : true` in config.json. Observed using
`readlink /proc/self/ns/ipc` that plugin and host have the same ns.

Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
This commit is contained in:
Anusha Ragunathan 2017-03-07 18:26:09 -08:00
parent fd3aef5ec2
commit 6d6185c257
5 changed files with 22 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
api/swagger.yaml
View file

@ -1446,6 +1446,7 @@ definitions:
- Network - Network
- Linux - Linux
- PropagatedMount - PropagatedMount
- IpcHost
- Mounts - Mounts
- Env - Env
- Args - Args
@ -1513,6 +1514,9 @@ definitions:
PropagatedMount: PropagatedMount:
type: "string" type: "string"
x-nullable: false x-nullable: false
IpcHost:
type: "boolean"
x-nullable: false
Mounts: Mounts:
type: "array" type: "array"
items: items:

4
api/types/plugin.go
View file

@ -58,6 +58,10 @@ type PluginConfig struct {
// Required: true // Required: true
Interface PluginConfigInterface `json:"Interface"` Interface PluginConfigInterface `json:"Interface"`
// ipc host
// Required: true
IpcHost bool `json:"IpcHost"`
// linux // linux
// Required: true // Required: true
Linux PluginConfigLinux `json:"Linux"` Linux PluginConfigLinux `json:"Linux"`

3
docs/extend/config.md
View file

@ -115,6 +115,9 @@ Config provides the base accessible fields for working with V0 plugin format
options of the mount. options of the mount.
- **`ipchost`** *boolean*
Access to host ipc namespace.
- **`propagatedMount`** *string* - **`propagatedMount`** *string*
path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins. path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins.

7
plugin/backend_linux.go
View file

@ -150,6 +150,13 @@ func computePrivileges(c types.PluginConfig) (types.PluginPrivileges, error) {
Value: []string{c.Network.Type}, Value: []string{c.Network.Type},
}) })
} }
if c.IpcHost {
privileges = append(privileges, types.PluginPrivilege{
Name: "host ipc namespace",
Description: "allow access to host ipc namespace",
Value: []string{"true"},
})
}
for _, mount := range c.Mounts { for _, mount := range c.Mounts {
if mount.Source != nil { if mount.Source != nil {
privileges = append(privileges, types.PluginPrivilege{ privileges = append(privileges, types.PluginPrivilege{

4
plugin/v2/plugin_linux.go
View file

@ -61,6 +61,10 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
}) })
} }
if p.PluginObj.Config.IpcHost {
oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))
}
for _, mnt := range mounts { for _, mnt := range mounts {
m := specs.Mount{ m := specs.Mount{
Destination: mnt.Destination, Destination: mnt.Destination,