Skip to content

Commit

Permalink
Merge pull request #1506 from hashicorp/b-priviledge-gate
Browse files Browse the repository at this point in the history 
Handle privileged correctly and don't gate various configs on it
  • Loading branch information
@dadgar
dadgar committed Aug 2, 2016
2 parents a78d219 + 2d66cf0 commit a2acc52
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 24 deletions.
22 changes: 1 addition & 21 deletions client/driver/docker.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -415,7 +415,7 @@ func (d *DockerDriver) createContainer(ctx *ExecContext, task *structs.Task,
if driverConfig.Privileged && !hostPrivileged {
return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent`)
}
hostConfig.Privileged = hostPrivileged
hostConfig.Privileged = driverConfig.Privileged

// set SHM size
if driverConfig.ShmSize != 0 {
Expand All @@ -436,28 +436,8 @@ func (d *DockerDriver) createContainer(ctx *ExecContext, task *structs.Task,
hostConfig.DNSSearch = append(hostConfig.DNSSearch, domain)
}

if driverConfig.IpcMode != "" {
if !hostPrivileged {
return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent, setting ipc mode not allowed`)
}
d.logger.Printf("[DEBUG] driver.docker: setting ipc mode to %s", driverConfig.IpcMode)
}
hostConfig.IpcMode = driverConfig.IpcMode

if driverConfig.PidMode != "" {
if !hostPrivileged {
return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent, setting pid mode not allowed`)
}
d.logger.Printf("[DEBUG] driver.docker: setting pid mode to %s", driverConfig.PidMode)
}
hostConfig.PidMode = driverConfig.PidMode

if driverConfig.UTSMode != "" {
if !hostPrivileged {
return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent, setting UTS mode not allowed`)
}
d.logger.Printf("[DEBUG] driver.docker: setting UTS mode to %s", driverConfig.UTSMode)
}
hostConfig.UTSMode = driverConfig.UTSMode

hostConfig.NetworkMode = driverConfig.NetworkMode
Expand Down
3 changes: 0 additions & 3 deletions website/source/docs/drivers/docker.html.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -304,9 +304,6 @@ options](/docs/agent/config.html#options):
allow containers to use `privileged` mode, which gives the containers full
access to the host's devices. Note that you must set a similar setting on the
Docker daemon for this to work.
`true` will also allow containers to run with ipc_mode, pid_mode and uts_mode
set to `host`, which gives access to the hosts ipc, pid and UTS namespaces
respectively.

Note: When testing or using the `-dev` flag you can use `DOCKER_HOST`,
`DOCKER_TLS_VERIFY`, and `DOCKER_CERT_PATH` to customize Nomad's behavior. If
Expand Down

0 comments on commit a2acc52

Please sign in to comment.