Browse code
Add pid host support
Tested using global-net-plugin-ipc which sets PidHost in config.json.
Plugins might need access to host pid namespace. Add support for that.
Tested using aragunathan/global-net-plugin-ipc which sets "pidhost" in
config.json. Observed using `readlink /proc/self/ns/pid` that plugin and
host have the same ns.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
Anusha Ragunathan authored on 2017/03/11 07:17:24Showing 5 changed files
- api/swagger.yaml
- api/types/plugin.go
- docs/extend/config.md
- plugin/backend_linux.go
- plugin/v2/plugin_linux.go
| ... | ... |
@@ -1445,6 +1445,7 @@ definitions: |
| 1445 | 1445 |
- WorkDir |
| 1446 | 1446 |
- Network |
| 1447 | 1447 |
- Linux |
| 1448 |
+ - PidHost |
|
| 1448 | 1449 |
- PropagatedMount |
| 1449 | 1450 |
- IpcHost |
| 1450 | 1451 |
- Mounts |
| ... | ... |
@@ -1517,6 +1518,9 @@ definitions: |
| 1517 | 1517 |
IpcHost: |
| 1518 | 1518 |
type: "boolean" |
| 1519 | 1519 |
x-nullable: false |
| 1520 |
+ PidHost: |
|
| 1521 |
+ type: "boolean" |
|
| 1522 |
+ x-nullable: false |
|
| 1520 | 1523 |
Mounts: |
| 1521 | 1524 |
type: "array" |
| 1522 | 1525 |
items: |
| ... | ... |
@@ -74,6 +74,10 @@ type PluginConfig struct {
|
| 74 | 74 |
// Required: true |
| 75 | 75 |
Network PluginConfigNetwork `json:"Network"` |
| 76 | 76 |
|
| 77 |
+ // pid host |
|
| 78 |
+ // Required: true |
|
| 79 |
+ PidHost bool `json:"PidHost"` |
|
| 80 |
+ |
|
| 77 | 81 |
// propagated mount |
| 78 | 82 |
// Required: true |
| 79 | 83 |
PropagatedMount string `json:"PropagatedMount"` |
| ... | ... |
@@ -117,6 +117,8 @@ Config provides the base accessible fields for working with V0 plugin format |
| 117 | 117 |
|
| 118 | 118 |
- **`ipchost`** *boolean* |
| 119 | 119 |
Access to host ipc namespace. |
| 120 |
+- **`pidhost`** *boolean* |
|
| 121 |
+ Access to host pid namespace. |
|
| 120 | 122 |
|
| 121 | 123 |
- **`propagatedMount`** *string* |
| 122 | 124 |
|
| ... | ... |
@@ -157,6 +157,13 @@ func computePrivileges(c types.PluginConfig) (types.PluginPrivileges, error) {
|
| 157 | 157 |
Value: []string{"true"},
|
| 158 | 158 |
}) |
| 159 | 159 |
} |
| 160 |
+ if c.PidHost {
|
|
| 161 |
+ privileges = append(privileges, types.PluginPrivilege{
|
|
| 162 |
+ Name: "host pid namespace", |
|
| 163 |
+ Description: "allow access to host pid namespace", |
|
| 164 |
+ Value: []string{"true"},
|
|
| 165 |
+ }) |
|
| 166 |
+ } |
|
| 160 | 167 |
for _, mount := range c.Mounts {
|
| 161 | 168 |
if mount.Source != nil {
|
| 162 | 169 |
privileges = append(privileges, types.PluginPrivilege{
|
| ... | ... |
@@ -60,6 +60,9 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
|
| 60 | 60 |
Options: []string{"rbind", "ro"},
|
| 61 | 61 |
}) |
| 62 | 62 |
} |
| 63 |
+ if p.PluginObj.Config.PidHost {
|
|
| 64 |
+ oci.RemoveNamespace(&s, specs.NamespaceType("pid"))
|
|
| 65 |
+ } |
|
| 63 | 66 |
|
| 64 | 67 |
if p.PluginObj.Config.IpcHost {
|
| 65 | 68 |
oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))
|