Browse code
Add support in plugin config for accessing host ipc namespace.
Plugins might need access to host ipc namespace. A good usecase is
a volume plugin running iscsi multipath commands that need access to
host kernel locks.
Tested with a custom plugin (aragunathan/global-net-plugin-full) that's
built with `"ipchost" : true` in config.json. Observed using
`readlink /proc/self/ns/ipc` that plugin and host have the same ns.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
Anusha Ragunathan authored on 2017/03/08 11:26:09Showing 5 changed files
- api/swagger.yaml
- api/types/plugin.go
- docs/extend/config.md
- plugin/backend_linux.go
- plugin/v2/plugin_linux.go
| ... | ... |
@@ -1446,6 +1446,7 @@ definitions: |
| 1446 | 1446 |
- Network |
| 1447 | 1447 |
- Linux |
| 1448 | 1448 |
- PropagatedMount |
| 1449 |
+ - IpcHost |
|
| 1449 | 1450 |
- Mounts |
| 1450 | 1451 |
- Env |
| 1451 | 1452 |
- Args |
| ... | ... |
@@ -1513,6 +1514,9 @@ definitions: |
| 1513 | 1513 |
PropagatedMount: |
| 1514 | 1514 |
type: "string" |
| 1515 | 1515 |
x-nullable: false |
| 1516 |
+ IpcHost: |
|
| 1517 |
+ type: "boolean" |
|
| 1518 |
+ x-nullable: false |
|
| 1516 | 1519 |
Mounts: |
| 1517 | 1520 |
type: "array" |
| 1518 | 1521 |
items: |
| ... | ... |
@@ -58,6 +58,10 @@ type PluginConfig struct {
|
| 58 | 58 |
// Required: true |
| 59 | 59 |
Interface PluginConfigInterface `json:"Interface"` |
| 60 | 60 |
|
| 61 |
+ // ipc host |
|
| 62 |
+ // Required: true |
|
| 63 |
+ IpcHost bool `json:"IpcHost"` |
|
| 64 |
+ |
|
| 61 | 65 |
// linux |
| 62 | 66 |
// Required: true |
| 63 | 67 |
Linux PluginConfigLinux `json:"Linux"` |
| ... | ... |
@@ -115,6 +115,9 @@ Config provides the base accessible fields for working with V0 plugin format |
| 115 | 115 |
|
| 116 | 116 |
options of the mount. |
| 117 | 117 |
|
| 118 |
+- **`ipchost`** *boolean* |
|
| 119 |
+ Access to host ipc namespace. |
|
| 120 |
+ |
|
| 118 | 121 |
- **`propagatedMount`** *string* |
| 119 | 122 |
|
| 120 | 123 |
path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins. |
| ... | ... |
@@ -150,6 +150,13 @@ func computePrivileges(c types.PluginConfig) (types.PluginPrivileges, error) {
|
| 150 | 150 |
Value: []string{c.Network.Type},
|
| 151 | 151 |
}) |
| 152 | 152 |
} |
| 153 |
+ if c.IpcHost {
|
|
| 154 |
+ privileges = append(privileges, types.PluginPrivilege{
|
|
| 155 |
+ Name: "host ipc namespace", |
|
| 156 |
+ Description: "allow access to host ipc namespace", |
|
| 157 |
+ Value: []string{"true"},
|
|
| 158 |
+ }) |
|
| 159 |
+ } |
|
| 153 | 160 |
for _, mount := range c.Mounts {
|
| 154 | 161 |
if mount.Source != nil {
|
| 155 | 162 |
privileges = append(privileges, types.PluginPrivilege{
|
| ... | ... |
@@ -61,6 +61,10 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
|
| 61 | 61 |
}) |
| 62 | 62 |
} |
| 63 | 63 |
|
| 64 |
+ if p.PluginObj.Config.IpcHost {
|
|
| 65 |
+ oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))
|
|
| 66 |
+ } |
|
| 67 |
+ |
|
| 64 | 68 |
for _, mnt := range mounts {
|
| 65 | 69 |
m := specs.Mount{
|
| 66 | 70 |
Destination: mnt.Destination, |