a
/
agola
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

executor: add option to allow privileged containers 

* add a config option allowPrivilegedContainers
* fail task setup if privileged containers are requested but they aren't
allowed.
* report if privileged containers are allowed to the runservice
This commit is contained in:
Simone Gotti 2019-06-13 18:31:08 +02:00
parent b11f53c6c9
commit 0296d594b5
3 changed files with 37 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/services/config/config.go
View File

@ -110,6 +110,8 @@ type Executor struct {
Labels map[string]string `yaml:"labels"` Labels map[string]string `yaml:"labels"`
// ActiveTasksLimit is the max number of concurrent active tasks // ActiveTasksLimit is the max number of concurrent active tasks
ActiveTasksLimit int `yaml:"active_tasks_limit"` ActiveTasksLimit int `yaml:"active_tasks_limit"`
AllowPrivilegedContainers bool `yaml:"allowPrivilegedContainers"`
} }
type Configstore struct { type Configstore struct {

34
internal/services/executor/executor.go
View File

@ -695,6 +695,7 @@ func (e *Executor) sendExecutorStatus(ctx context.Context) error {
executor := &types.Executor{ executor := &types.Executor{
ID: e.id, ID: e.id,
Archs: archs, Archs: archs,
AllowPrivilegedContainers: e.c.AllowPrivilegedContainers,
ListenURL: e.listenURL, ListenURL: e.listenURL,
Labels: labels, Labels: labels,
ActiveTasksLimit: e.c.ActiveTasksLimit, ActiveTasksLimit: e.c.ActiveTasksLimit,
@ -834,6 +835,29 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
return err return err
} }
setupLogPath := e.setupLogPath(et.ID)
if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil {
return err
}
outf, err := os.Create(setupLogPath)
if err != nil {
return err
}
defer outf.Close()
// error out if privileged containers are required but not allowed
requiresPrivilegedContainers := false
for _, c := range et.Containers {
if c.Privileged == true {
requiresPrivilegedContainers = true
break
}
}
if requiresPrivilegedContainers == true && e.c.AllowPrivilegedContainers == false {
outf.WriteString("Executor doesn't allow executing privileged containers.\n")
return errors.Errorf("executor doesn't allow executing privileged containers")
}
log.Debugf("starting pod") log.Debugf("starting pod")
dockerConfig, err := registry.GenDockerConfig(et.DockerRegistriesAuth, []string{et.Containers[0].Image}) dockerConfig, err := registry.GenDockerConfig(et.DockerRegistriesAuth, []string{et.Containers[0].Image})
@ -869,16 +893,6 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
} }
} }
setupLogPath := e.setupLogPath(et.ID)
if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil {
return err
}
outf, err := os.Create(setupLogPath)
if err != nil {
return err
}
defer outf.Close()
outf.WriteString("Starting pod.\n") outf.WriteString("Starting pod.\n")
pod, err := e.driver.NewPod(ctx, podConfig, outf) pod, err := e.driver.NewPod(ctx, podConfig, outf)
if err != nil { if err != nil {

2
internal/services/runservice/types/types.go
View File

@ -605,6 +605,8 @@ type Executor struct {
Labels map[string]string `json:"labels,omitempty"` Labels map[string]string `json:"labels,omitempty"`
AllowPrivilegedContainers bool `json:"allow_privileged_containers,omitempty"`
ActiveTasksLimit int `json:"active_tasks_limit,omitempty"` ActiveTasksLimit int `json:"active_tasks_limit,omitempty"`
ActiveTasks int `json:"active_tasks,omitempty"` ActiveTasks int `json:"active_tasks,omitempty"`