From 0296d594b5f37c2cc8414080c0c32aa7b55dc5e3 Mon Sep 17 00:00:00 2001 From: Simone Gotti Date: Thu, 13 Jun 2019 18:31:08 +0200 Subject: [PATCH] executor: add option to allow privileged containers * add a config option allowPrivilegedContainers * fail task setup if privileged containers are requested but they aren't allowed. * report if privileged containers are allowed to the runservice --- internal/services/config/config.go | 2 + internal/services/executor/executor.go | 52 +++++++++++++-------- internal/services/runservice/types/types.go | 2 + 3 files changed, 37 insertions(+), 19 deletions(-) diff --git a/internal/services/config/config.go b/internal/services/config/config.go index a50d751..2a098b4 100644 --- a/internal/services/config/config.go +++ b/internal/services/config/config.go @@ -110,6 +110,8 @@ type Executor struct { Labels map[string]string `yaml:"labels"` // ActiveTasksLimit is the max number of concurrent active tasks ActiveTasksLimit int `yaml:"active_tasks_limit"` + + AllowPrivilegedContainers bool `yaml:"allowPrivilegedContainers"` } type Configstore struct { diff --git a/internal/services/executor/executor.go b/internal/services/executor/executor.go index a6e50f9..4c7559d 100644 --- a/internal/services/executor/executor.go +++ b/internal/services/executor/executor.go @@ -693,15 +693,16 @@ func (e *Executor) sendExecutorStatus(ctx context.Context) error { } executor := &types.Executor{ - ID: e.id, - Archs: archs, - ListenURL: e.listenURL, - Labels: labels, - ActiveTasksLimit: e.c.ActiveTasksLimit, - ActiveTasks: activeTasks, - Dynamic: e.dynamic, - ExecutorGroup: executorGroup, - SiblingsExecutors: siblingsExecutors, + ID: e.id, + Archs: archs, + AllowPrivilegedContainers: e.c.AllowPrivilegedContainers, + ListenURL: e.listenURL, + Labels: labels, + ActiveTasksLimit: e.c.ActiveTasksLimit, + ActiveTasks: activeTasks, + Dynamic: e.dynamic, + ExecutorGroup: executorGroup, + SiblingsExecutors: siblingsExecutors, } log.Debugf("send executor status: %s", util.Dump(executor)) @@ -834,6 +835,29 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error { return err } + setupLogPath := e.setupLogPath(et.ID) + if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil { + return err + } + outf, err := os.Create(setupLogPath) + if err != nil { + return err + } + defer outf.Close() + + // error out if privileged containers are required but not allowed + requiresPrivilegedContainers := false + for _, c := range et.Containers { + if c.Privileged == true { + requiresPrivilegedContainers = true + break + } + } + if requiresPrivilegedContainers == true && e.c.AllowPrivilegedContainers == false { + outf.WriteString("Executor doesn't allow executing privileged containers.\n") + return errors.Errorf("executor doesn't allow executing privileged containers") + } + log.Debugf("starting pod") dockerConfig, err := registry.GenDockerConfig(et.DockerRegistriesAuth, []string{et.Containers[0].Image}) @@ -869,16 +893,6 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error { } } - setupLogPath := e.setupLogPath(et.ID) - if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil { - return err - } - outf, err := os.Create(setupLogPath) - if err != nil { - return err - } - defer outf.Close() - outf.WriteString("Starting pod.\n") pod, err := e.driver.NewPod(ctx, podConfig, outf) if err != nil { diff --git a/internal/services/runservice/types/types.go b/internal/services/runservice/types/types.go index de8f7bf..337838c 100644 --- a/internal/services/runservice/types/types.go +++ b/internal/services/runservice/types/types.go @@ -605,6 +605,8 @@ type Executor struct { Labels map[string]string `json:"labels,omitempty"` + AllowPrivilegedContainers bool `json:"allow_privileged_containers,omitempty"` + ActiveTasksLimit int `json:"active_tasks_limit,omitempty"` ActiveTasks int `json:"active_tasks,omitempty"`