From c2a43d5540acf2a80ae583e3901ec8bb26f25da4 Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Tue, 2 Aug 2016 16:02:34 -0700 Subject: [PATCH 1/2] remove gating of ipc, user ns and pidmode based on hosts priviledge mode config --- client/driver/docker.go | 20 -------------------- website/source/docs/drivers/docker.html.md | 3 --- 2 files changed, 23 deletions(-) diff --git a/client/driver/docker.go b/client/driver/docker.go index 9bb277e7e02b..99f626e37b36 100644 --- a/client/driver/docker.go +++ b/client/driver/docker.go @@ -436,28 +436,8 @@ func (d *DockerDriver) createContainer(ctx *ExecContext, task *structs.Task, hostConfig.DNSSearch = append(hostConfig.DNSSearch, domain) } - if driverConfig.IpcMode != "" { - if !hostPrivileged { - return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent, setting ipc mode not allowed`) - } - d.logger.Printf("[DEBUG] driver.docker: setting ipc mode to %s", driverConfig.IpcMode) - } hostConfig.IpcMode = driverConfig.IpcMode - - if driverConfig.PidMode != "" { - if !hostPrivileged { - return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent, setting pid mode not allowed`) - } - d.logger.Printf("[DEBUG] driver.docker: setting pid mode to %s", driverConfig.PidMode) - } hostConfig.PidMode = driverConfig.PidMode - - if driverConfig.UTSMode != "" { - if !hostPrivileged { - return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent, setting UTS mode not allowed`) - } - d.logger.Printf("[DEBUG] driver.docker: setting UTS mode to %s", driverConfig.UTSMode) - } hostConfig.UTSMode = driverConfig.UTSMode hostConfig.NetworkMode = driverConfig.NetworkMode diff --git a/website/source/docs/drivers/docker.html.md b/website/source/docs/drivers/docker.html.md index dab1a2306228..d17c9af3d1b4 100644 --- a/website/source/docs/drivers/docker.html.md +++ b/website/source/docs/drivers/docker.html.md @@ -304,9 +304,6 @@ options](/docs/agent/config.html#options): allow containers to use `privileged` mode, which gives the containers full access to the host's devices. Note that you must set a similar setting on the Docker daemon for this to work. - `true` will also allow containers to run with ipc_mode, pid_mode and uts_mode - set to `host`, which gives access to the hosts ipc, pid and UTS namespaces - respectively. Note: When testing or using the `-dev` flag you can use `DOCKER_HOST`, `DOCKER_TLS_VERIFY`, and `DOCKER_CERT_PATH` to customize Nomad's behavior. If From 2d66cf0a7c31ee22b67f10bccbe74d0627458fae Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Tue, 2 Aug 2016 16:10:15 -0700 Subject: [PATCH 2/2] use priviledge of the config --- client/driver/docker.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/driver/docker.go b/client/driver/docker.go index 99f626e37b36..3b63989173f0 100644 --- a/client/driver/docker.go +++ b/client/driver/docker.go @@ -415,7 +415,7 @@ func (d *DockerDriver) createContainer(ctx *ExecContext, task *structs.Task, if driverConfig.Privileged && !hostPrivileged { return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent`) } - hostConfig.Privileged = hostPrivileged + hostConfig.Privileged = driverConfig.Privileged // set SHM size if driverConfig.ShmSize != 0 {