executor: add option to allow privileged containers
* add a config option allowPrivilegedContainers * fail task setup if privileged containers are requested but they aren't allowed. * report if privileged containers are allowed to the runservice
This commit is contained in:
parent
b11f53c6c9
commit
0296d594b5
|
@ -110,6 +110,8 @@ type Executor struct {
|
||||||
Labels map[string]string `yaml:"labels"`
|
Labels map[string]string `yaml:"labels"`
|
||||||
// ActiveTasksLimit is the max number of concurrent active tasks
|
// ActiveTasksLimit is the max number of concurrent active tasks
|
||||||
ActiveTasksLimit int `yaml:"active_tasks_limit"`
|
ActiveTasksLimit int `yaml:"active_tasks_limit"`
|
||||||
|
|
||||||
|
AllowPrivilegedContainers bool `yaml:"allowPrivilegedContainers"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type Configstore struct {
|
type Configstore struct {
|
||||||
|
|
|
@ -695,6 +695,7 @@ func (e *Executor) sendExecutorStatus(ctx context.Context) error {
|
||||||
executor := &types.Executor{
|
executor := &types.Executor{
|
||||||
ID: e.id,
|
ID: e.id,
|
||||||
Archs: archs,
|
Archs: archs,
|
||||||
|
AllowPrivilegedContainers: e.c.AllowPrivilegedContainers,
|
||||||
ListenURL: e.listenURL,
|
ListenURL: e.listenURL,
|
||||||
Labels: labels,
|
Labels: labels,
|
||||||
ActiveTasksLimit: e.c.ActiveTasksLimit,
|
ActiveTasksLimit: e.c.ActiveTasksLimit,
|
||||||
|
@ -834,6 +835,29 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
setupLogPath := e.setupLogPath(et.ID)
|
||||||
|
if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
outf, err := os.Create(setupLogPath)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
defer outf.Close()
|
||||||
|
|
||||||
|
// error out if privileged containers are required but not allowed
|
||||||
|
requiresPrivilegedContainers := false
|
||||||
|
for _, c := range et.Containers {
|
||||||
|
if c.Privileged == true {
|
||||||
|
requiresPrivilegedContainers = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if requiresPrivilegedContainers == true && e.c.AllowPrivilegedContainers == false {
|
||||||
|
outf.WriteString("Executor doesn't allow executing privileged containers.\n")
|
||||||
|
return errors.Errorf("executor doesn't allow executing privileged containers")
|
||||||
|
}
|
||||||
|
|
||||||
log.Debugf("starting pod")
|
log.Debugf("starting pod")
|
||||||
|
|
||||||
dockerConfig, err := registry.GenDockerConfig(et.DockerRegistriesAuth, []string{et.Containers[0].Image})
|
dockerConfig, err := registry.GenDockerConfig(et.DockerRegistriesAuth, []string{et.Containers[0].Image})
|
||||||
|
@ -869,16 +893,6 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
setupLogPath := e.setupLogPath(et.ID)
|
|
||||||
if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
outf, err := os.Create(setupLogPath)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
defer outf.Close()
|
|
||||||
|
|
||||||
outf.WriteString("Starting pod.\n")
|
outf.WriteString("Starting pod.\n")
|
||||||
pod, err := e.driver.NewPod(ctx, podConfig, outf)
|
pod, err := e.driver.NewPod(ctx, podConfig, outf)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -605,6 +605,8 @@ type Executor struct {
|
||||||
|
|
||||||
Labels map[string]string `json:"labels,omitempty"`
|
Labels map[string]string `json:"labels,omitempty"`
|
||||||
|
|
||||||
|
AllowPrivilegedContainers bool `json:"allow_privileged_containers,omitempty"`
|
||||||
|
|
||||||
ActiveTasksLimit int `json:"active_tasks_limit,omitempty"`
|
ActiveTasksLimit int `json:"active_tasks_limit,omitempty"`
|
||||||
ActiveTasks int `json:"active_tasks,omitempty"`
|
ActiveTasks int `json:"active_tasks,omitempty"`
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue