executor: add option to allow privileged containers

* add a config option allowPrivilegedContainers * fail task setup if privileged containers are requested but they aren't allowed. * report if privileged containers are allowed to the runservice
2019-06-13 18:31:08 +02:00 · 2019-06-13 18:31:08 +02:00 · 0296d594b5
parent b11f53c6c9
commit 0296d594b5
3 changed files with 37 additions and 19 deletions
--- a/internal/services/config/config.go
+++ b/internal/services/config/config.go
@ -110,6 +110,8 @@ type Executor struct {
 	Labels map[string]string `yaml:"labels"`
 	// ActiveTasksLimit is the max number of concurrent active tasks
 	ActiveTasksLimit int `yaml:"active_tasks_limit"`
+
+	AllowPrivilegedContainers bool `yaml:"allowPrivilegedContainers"`
 }

 type Configstore struct {
--- a/internal/services/executor/executor.go
+++ b/internal/services/executor/executor.go
@ -693,15 +693,16 @@ func (e *Executor) sendExecutorStatus(ctx context.Context) error {
 	}

 	executor := &types.Executor{
-		ID:                e.id,
-		Archs:             archs,
-		ListenURL:         e.listenURL,
-		Labels:            labels,
-		ActiveTasksLimit:  e.c.ActiveTasksLimit,
-		ActiveTasks:       activeTasks,
-		Dynamic:           e.dynamic,
-		ExecutorGroup:     executorGroup,
-		SiblingsExecutors: siblingsExecutors,
+		ID:                        e.id,
+		Archs:                     archs,
+		AllowPrivilegedContainers: e.c.AllowPrivilegedContainers,
+		ListenURL:                 e.listenURL,
+		Labels:                    labels,
+		ActiveTasksLimit:          e.c.ActiveTasksLimit,
+		ActiveTasks:               activeTasks,
+		Dynamic:                   e.dynamic,
+		ExecutorGroup:             executorGroup,
+		SiblingsExecutors:         siblingsExecutors,
 	}

 	log.Debugf("send executor status: %s", util.Dump(executor))
@ -834,6 +835,29 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
 		return err
 	}

+	setupLogPath := e.setupLogPath(et.ID)
+	if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil {
+		return err
+	}
+	outf, err := os.Create(setupLogPath)
+	if err != nil {
+		return err
+	}
+	defer outf.Close()
+
+	// error out if privileged containers are required but not allowed
+	requiresPrivilegedContainers := false
+	for _, c := range et.Containers {
+		if c.Privileged == true {
+			requiresPrivilegedContainers = true
+			break
+		}
+	}
+	if requiresPrivilegedContainers == true && e.c.AllowPrivilegedContainers == false {
+		outf.WriteString("Executor doesn't allow executing privileged containers.\n")
+		return errors.Errorf("executor doesn't allow executing privileged containers")
+	}
+
 	log.Debugf("starting pod")

 	dockerConfig, err := registry.GenDockerConfig(et.DockerRegistriesAuth, []string{et.Containers[0].Image})
@ -869,16 +893,6 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
 		}
 	}

-	setupLogPath := e.setupLogPath(et.ID)
-	if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil {
-		return err
-	}
-	outf, err := os.Create(setupLogPath)
-	if err != nil {
-		return err
-	}
-	defer outf.Close()
-
 	outf.WriteString("Starting pod.\n")
 	pod, err := e.driver.NewPod(ctx, podConfig, outf)
 	if err != nil {
--- a/internal/services/runservice/types/types.go
+++ b/internal/services/runservice/types/types.go
@ -605,6 +605,8 @@ type Executor struct {

 	Labels map[string]string `json:"labels,omitempty"`

+	AllowPrivilegedContainers bool `json:"allow_privileged_containers,omitempty"`
+
 	ActiveTasksLimit int `json:"active_tasks_limit,omitempty"`
 	ActiveTasks      int `json:"active_tasks,omitempty"`