executor: add option to allow privileged containers
* add a config option allowPrivilegedContainers * fail task setup if privileged containers are requested but they aren't allowed. * report if privileged containers are allowed to the runservice
This commit is contained in:
parent
b11f53c6c9
commit
0296d594b5
|
@ -110,6 +110,8 @@ type Executor struct {
|
|||
Labels map[string]string `yaml:"labels"`
|
||||
// ActiveTasksLimit is the max number of concurrent active tasks
|
||||
ActiveTasksLimit int `yaml:"active_tasks_limit"`
|
||||
|
||||
AllowPrivilegedContainers bool `yaml:"allowPrivilegedContainers"`
|
||||
}
|
||||
|
||||
type Configstore struct {
|
||||
|
|
|
@ -693,15 +693,16 @@ func (e *Executor) sendExecutorStatus(ctx context.Context) error {
|
|||
}
|
||||
|
||||
executor := &types.Executor{
|
||||
ID: e.id,
|
||||
Archs: archs,
|
||||
ListenURL: e.listenURL,
|
||||
Labels: labels,
|
||||
ActiveTasksLimit: e.c.ActiveTasksLimit,
|
||||
ActiveTasks: activeTasks,
|
||||
Dynamic: e.dynamic,
|
||||
ExecutorGroup: executorGroup,
|
||||
SiblingsExecutors: siblingsExecutors,
|
||||
ID: e.id,
|
||||
Archs: archs,
|
||||
AllowPrivilegedContainers: e.c.AllowPrivilegedContainers,
|
||||
ListenURL: e.listenURL,
|
||||
Labels: labels,
|
||||
ActiveTasksLimit: e.c.ActiveTasksLimit,
|
||||
ActiveTasks: activeTasks,
|
||||
Dynamic: e.dynamic,
|
||||
ExecutorGroup: executorGroup,
|
||||
SiblingsExecutors: siblingsExecutors,
|
||||
}
|
||||
|
||||
log.Debugf("send executor status: %s", util.Dump(executor))
|
||||
|
@ -834,6 +835,29 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
|
|||
return err
|
||||
}
|
||||
|
||||
setupLogPath := e.setupLogPath(et.ID)
|
||||
if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil {
|
||||
return err
|
||||
}
|
||||
outf, err := os.Create(setupLogPath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer outf.Close()
|
||||
|
||||
// error out if privileged containers are required but not allowed
|
||||
requiresPrivilegedContainers := false
|
||||
for _, c := range et.Containers {
|
||||
if c.Privileged == true {
|
||||
requiresPrivilegedContainers = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if requiresPrivilegedContainers == true && e.c.AllowPrivilegedContainers == false {
|
||||
outf.WriteString("Executor doesn't allow executing privileged containers.\n")
|
||||
return errors.Errorf("executor doesn't allow executing privileged containers")
|
||||
}
|
||||
|
||||
log.Debugf("starting pod")
|
||||
|
||||
dockerConfig, err := registry.GenDockerConfig(et.DockerRegistriesAuth, []string{et.Containers[0].Image})
|
||||
|
@ -869,16 +893,6 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
|
|||
}
|
||||
}
|
||||
|
||||
setupLogPath := e.setupLogPath(et.ID)
|
||||
if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil {
|
||||
return err
|
||||
}
|
||||
outf, err := os.Create(setupLogPath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer outf.Close()
|
||||
|
||||
outf.WriteString("Starting pod.\n")
|
||||
pod, err := e.driver.NewPod(ctx, podConfig, outf)
|
||||
if err != nil {
|
||||
|
|
|
@ -605,6 +605,8 @@ type Executor struct {
|
|||
|
||||
Labels map[string]string `json:"labels,omitempty"`
|
||||
|
||||
AllowPrivilegedContainers bool `json:"allow_privileged_containers,omitempty"`
|
||||
|
||||
ActiveTasksLimit int `json:"active_tasks_limit,omitempty"`
|
||||
ActiveTasks int `json:"active_tasks,omitempty"`
|
||||
|
||||
|
|
Loading…
Reference in New Issue