Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle privileged correctly and don't gate various configs on it #1506

Merged
merged 2 commits into from
Aug 2, 2016
Merged

Handle privileged correctly and don't gate various configs on it #1506

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c2a43d5
remove gating of ipc, user ns and pidmode based on hosts priviledge m…
dadgar Aug 2, 2016
2d66cf0
use priviledge of the config
dadgar Aug 2, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
22 changes: 1 addition & 21 deletions client/driver/docker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -415,7 +415,7 @@ func (d *DockerDriver) createContainer(ctx *ExecContext, task *structs.Task,
if driverConfig.Privileged && !hostPrivileged {
return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent`)
}
hostConfig.Privileged = hostPrivileged
hostConfig.Privileged = driverConfig.Privileged

// set SHM size
if driverConfig.ShmSize != 0 {
Expand All @@ -436,28 +436,8 @@ func (d *DockerDriver) createContainer(ctx *ExecContext, task *structs.Task,
hostConfig.DNSSearch = append(hostConfig.DNSSearch, domain)
}

if driverConfig.IpcMode != "" {
if !hostPrivileged {
return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent, setting ipc mode not allowed`)
}
d.logger.Printf("[DEBUG] driver.docker: setting ipc mode to %s", driverConfig.IpcMode)
}
hostConfig.IpcMode = driverConfig.IpcMode

if driverConfig.PidMode != "" {
if !hostPrivileged {
return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent, setting pid mode not allowed`)
}
d.logger.Printf("[DEBUG] driver.docker: setting pid mode to %s", driverConfig.PidMode)
}
hostConfig.PidMode = driverConfig.PidMode

if driverConfig.UTSMode != "" {
if !hostPrivileged {
return c, fmt.Errorf(`Docker privileged mode is disabled on this Nomad agent, setting UTS mode not allowed`)
}
d.logger.Printf("[DEBUG] driver.docker: setting UTS mode to %s", driverConfig.UTSMode)
}
hostConfig.UTSMode = driverConfig.UTSMode

hostConfig.NetworkMode = driverConfig.NetworkMode
Expand Down
3 changes: 0 additions & 3 deletions website/source/docs/drivers/docker.html.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,9 +304,6 @@ options](/docs/agent/config.html#options):
allow containers to use `privileged` mode, which gives the containers full
access to the host's devices. Note that you must set a similar setting on the
Docker daemon for this to work.
`true` will also allow containers to run with ipc_mode, pid_mode and uts_mode
set to `host`, which gives access to the hosts ipc, pid and UTS namespaces
respectively.

Note: When testing or using the `-dev` flag you can use `DOCKER_HOST`,
`DOCKER_TLS_VERIFY`, and `DOCKER_CERT_PATH` to customize Nomad's behavior. If
Expand Down