drivers/exec: pass capabilities through executor RPC

Add capabilities to the LaunchRequest proto so that the capabilities set actually gets plumbed all the way through to task launch.
hashicorp · May 16, 2021 · 1b382f5 · 1b382f5
1 parent a442349
commit 1b382f5
Show file tree

Hide file tree

Showing 8 changed files with 85 additions and 68 deletions.
diff --git a/drivers/exec/driver.go b/drivers/exec/driver.go
@@ -479,6 +479,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	if err != nil {
 		return nil, nil, err
 	}
+	d.logger.Debug("task capabilities", "capabilities", caps)
 
 	execCmd := &executor.ExecCommand{
 		Cmd:              driverConfig.Command,

diff --git a/drivers/java/driver.go b/drivers/java/driver.go
@@ -491,6 +491,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	if err != nil {
 		return nil, nil, err
 	}
+	d.logger.Debug("task capabilities", "capabilities", caps)
 
 	execCmd := &executor.ExecCommand{
 		Cmd:              absPath,

diff --git a/drivers/shared/executor/client.go b/drivers/shared/executor/client.go
@@ -47,6 +47,7 @@ func (c *grpcExecutorClient) Launch(cmd *ExecCommand) (*ProcessState, error) {
 		NetworkIsolation:   drivers.NetworkIsolationSpecToProto(cmd.NetworkIsolation),
 		DefaultPidMode:     cmd.ModePID,
 		DefaultIpcMode:     cmd.ModeIPC,
+		Capabilities:       cmd.Capabilities,
 	}
 	resp, err := c.client.Launch(ctx, req)
 	if err != nil {

diff --git a/drivers/shared/executor/executor.go b/drivers/shared/executor/executor.go
@@ -92,6 +92,10 @@ type Executor interface {
 
 // ExecCommand holds the user command, args, and other isolation related
 // settings.
+//
+// Important (!): when adding fields, make sure to update the RPC methods in
+// grpcExecutorClient.Launch and grpcExecutorServer.Launch. Number of hours
+// spent tracking this down: too many.
 type ExecCommand struct {
 	// Cmd is the command that the user wants to run.
 	Cmd string

diff --git a/drivers/shared/executor/executor_linux.go b/drivers/shared/executor/executor_linux.go
@@ -534,7 +534,6 @@ func (l *LibcontainerExecutor) handleExecWait(ch chan *waitResult, process *libc
 }
 
 func configureCapabilities(cfg *lconfigs.Config, command *ExecCommand) {
-
 	switch command.User {
 	case "root":
 		// when running as root, use the legacy set of system capabilities, so

diff --git a/drivers/shared/executor/proto/executor.pb.go b/drivers/shared/executor/proto/executor.pb.go
diff --git a/drivers/shared/executor/proto/executor.proto b/drivers/shared/executor/proto/executor.proto
@@ -46,6 +46,7 @@ message LaunchRequest {
     string default_ipc_mode = 16;
     string cpuset_cgroup = 17;
     repeated string allow_caps = 18;
+    repeated string capabilities = 19;
 }
 
 message LaunchResponse {

diff --git a/drivers/shared/executor/server.go b/drivers/shared/executor/server.go
@@ -37,6 +37,7 @@ func (s *grpcExecutorServer) Launch(ctx context.Context, req *proto.LaunchReques
 		NetworkIsolation:   drivers.NetworkIsolationSpecFromProto(req.NetworkIsolation),
 		ModePID:            req.DefaultPidMode,
 		ModeIPC:            req.DefaultIpcMode,
+		Capabilities:       req.Capabilities,
 	})
 
 	if err != nil {