executor: add option to allow privileged containers

* add a config option allowPrivilegedContainers
* fail task setup if privileged containers are requested but they aren't
allowed.
* report if privileged containers are allowed to the runservice
This commit is contained in:
Simone Gotti 2019-06-13 18:31:08 +02:00
parent b11f53c6c9
commit 0296d594b5
3 changed files with 37 additions and 19 deletions

View File

@ -110,6 +110,8 @@ type Executor struct {
Labels map[string]string `yaml:"labels"` Labels map[string]string `yaml:"labels"`
// ActiveTasksLimit is the max number of concurrent active tasks // ActiveTasksLimit is the max number of concurrent active tasks
ActiveTasksLimit int `yaml:"active_tasks_limit"` ActiveTasksLimit int `yaml:"active_tasks_limit"`
AllowPrivilegedContainers bool `yaml:"allowPrivilegedContainers"`
} }
type Configstore struct { type Configstore struct {

View File

@ -693,15 +693,16 @@ func (e *Executor) sendExecutorStatus(ctx context.Context) error {
} }
executor := &types.Executor{ executor := &types.Executor{
ID: e.id, ID: e.id,
Archs: archs, Archs: archs,
ListenURL: e.listenURL, AllowPrivilegedContainers: e.c.AllowPrivilegedContainers,
Labels: labels, ListenURL: e.listenURL,
ActiveTasksLimit: e.c.ActiveTasksLimit, Labels: labels,
ActiveTasks: activeTasks, ActiveTasksLimit: e.c.ActiveTasksLimit,
Dynamic: e.dynamic, ActiveTasks: activeTasks,
ExecutorGroup: executorGroup, Dynamic: e.dynamic,
SiblingsExecutors: siblingsExecutors, ExecutorGroup: executorGroup,
SiblingsExecutors: siblingsExecutors,
} }
log.Debugf("send executor status: %s", util.Dump(executor)) log.Debugf("send executor status: %s", util.Dump(executor))
@ -834,6 +835,29 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
return err return err
} }
setupLogPath := e.setupLogPath(et.ID)
if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil {
return err
}
outf, err := os.Create(setupLogPath)
if err != nil {
return err
}
defer outf.Close()
// error out if privileged containers are required but not allowed
requiresPrivilegedContainers := false
for _, c := range et.Containers {
if c.Privileged == true {
requiresPrivilegedContainers = true
break
}
}
if requiresPrivilegedContainers == true && e.c.AllowPrivilegedContainers == false {
outf.WriteString("Executor doesn't allow executing privileged containers.\n")
return errors.Errorf("executor doesn't allow executing privileged containers")
}
log.Debugf("starting pod") log.Debugf("starting pod")
dockerConfig, err := registry.GenDockerConfig(et.DockerRegistriesAuth, []string{et.Containers[0].Image}) dockerConfig, err := registry.GenDockerConfig(et.DockerRegistriesAuth, []string{et.Containers[0].Image})
@ -869,16 +893,6 @@ func (e *Executor) setupTask(ctx context.Context, rt *runningTask) error {
} }
} }
setupLogPath := e.setupLogPath(et.ID)
if err := os.MkdirAll(filepath.Dir(setupLogPath), 0770); err != nil {
return err
}
outf, err := os.Create(setupLogPath)
if err != nil {
return err
}
defer outf.Close()
outf.WriteString("Starting pod.\n") outf.WriteString("Starting pod.\n")
pod, err := e.driver.NewPod(ctx, podConfig, outf) pod, err := e.driver.NewPod(ctx, podConfig, outf)
if err != nil { if err != nil {

View File

@ -605,6 +605,8 @@ type Executor struct {
Labels map[string]string `json:"labels,omitempty"` Labels map[string]string `json:"labels,omitempty"`
AllowPrivilegedContainers bool `json:"allow_privileged_containers,omitempty"`
ActiveTasksLimit int `json:"active_tasks_limit,omitempty"` ActiveTasksLimit int `json:"active_tasks_limit,omitempty"`
ActiveTasks int `json:"active_tasks,omitempty"` ActiveTasks int `json:"active_tasks,omitempty"`