Browse code
plugins: misc fixes
Rename variable to reflect manifest -> config renaming
Populate Description fields when computing privileges.
Refactor/reuse code from daemon/oci_linux.go
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 6547609870b66f9dfb1894a4987c42608f856f3e)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Tibor Vass authored on 2016/11/23 06:42:11Showing 4 changed files
| ... | ... |
@@ -221,18 +221,6 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
|
| 221 | 221 |
return nil |
| 222 | 222 |
} |
| 223 | 223 |
|
| 224 |
-func delNamespace(s *specs.Spec, nsType specs.NamespaceType) {
|
|
| 225 |
- idx := -1 |
|
| 226 |
- for i, n := range s.Linux.Namespaces {
|
|
| 227 |
- if n.Type == nsType {
|
|
| 228 |
- idx = i |
|
| 229 |
- } |
|
| 230 |
- } |
|
| 231 |
- if idx >= 0 {
|
|
| 232 |
- s.Linux.Namespaces = append(s.Linux.Namespaces[:idx], s.Linux.Namespaces[idx+1:]...) |
|
| 233 |
- } |
|
| 234 |
-} |
|
| 235 |
- |
|
| 236 | 224 |
func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error {
|
| 237 | 225 |
userNS := false |
| 238 | 226 |
// user |
| ... | ... |
@@ -283,7 +271,7 @@ func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error |
| 283 | 283 |
setNamespace(s, nsUser) |
| 284 | 284 |
} |
| 285 | 285 |
} else if c.HostConfig.IpcMode.IsHost() {
|
| 286 |
- delNamespace(s, specs.NamespaceType("ipc"))
|
|
| 286 |
+ oci.RemoveNamespace(s, specs.NamespaceType("ipc"))
|
|
| 287 | 287 |
} else {
|
| 288 | 288 |
ns := specs.Namespace{Type: "ipc"}
|
| 289 | 289 |
setNamespace(s, ns) |
| ... | ... |
@@ -304,14 +292,14 @@ func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error |
| 304 | 304 |
setNamespace(s, nsUser) |
| 305 | 305 |
} |
| 306 | 306 |
} else if c.HostConfig.PidMode.IsHost() {
|
| 307 |
- delNamespace(s, specs.NamespaceType("pid"))
|
|
| 307 |
+ oci.RemoveNamespace(s, specs.NamespaceType("pid"))
|
|
| 308 | 308 |
} else {
|
| 309 | 309 |
ns := specs.Namespace{Type: "pid"}
|
| 310 | 310 |
setNamespace(s, ns) |
| 311 | 311 |
} |
| 312 | 312 |
// uts |
| 313 | 313 |
if c.HostConfig.UTSMode.IsHost() {
|
| 314 |
- delNamespace(s, specs.NamespaceType("uts"))
|
|
| 314 |
+ oci.RemoveNamespace(s, specs.NamespaceType("uts"))
|
|
| 315 | 315 |
s.Hostname = "" |
| 316 | 316 |
} |
| 317 | 317 |
|
| ... | ... |
@@ -16,6 +16,7 @@ keywords: "API, Usage, plugins, documentation, developer" |
| 16 | 16 |
will be rejected. |
| 17 | 17 |
--> |
| 18 | 18 |
|
| 19 |
+ |
|
| 19 | 20 |
# Plugin Config Version 0 of Plugin V2 |
| 20 | 21 |
|
| 21 | 22 |
This document outlines the format of the V0 plugin configuration. The plugin |
| ... | ... |
@@ -85,10 +86,6 @@ Config provides the base accessible fields for working with V0 plugin format |
| 85 | 85 |
- **host** |
| 86 | 86 |
- **none** |
| 87 | 87 |
|
| 88 |
-- **`capabilities`** *array* |
|
| 89 |
- |
|
| 90 |
- capabilities of the plugin (*Linux only*), see list [`here`](https://github.com/opencontainers/runc/blob/master/libcontainer/SPEC.md#security) |
|
| 91 |
- |
|
| 92 | 88 |
- **`mounts`** *PluginMount array* |
| 93 | 89 |
|
| 94 | 90 |
mount of the plugin, struct consisting of the following fields, see [`MOUNTS`](https://github.com/opencontainers/runtime-spec/blob/master/config.md#mounts) |
| ... | ... |
@@ -117,22 +114,6 @@ Config provides the base accessible fields for working with V0 plugin format |
| 117 | 117 |
|
| 118 | 118 |
options of the mount. |
| 119 | 119 |
|
| 120 |
-- **`devices`** *PluginDevice array* |
|
| 121 |
- |
|
| 122 |
- device of the plugin, (*Linux only*), struct consisting of the following fields, see [`DEVICES`](https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#devices) |
|
| 123 |
- |
|
| 124 |
- - **`name`** *string* |
|
| 125 |
- |
|
| 126 |
- name of the device. |
|
| 127 |
- |
|
| 128 |
- - **`description`** *string* |
|
| 129 |
- |
|
| 130 |
- description of the device. |
|
| 131 |
- |
|
| 132 |
- - **`path`** *string* |
|
| 133 |
- |
|
| 134 |
- path of the device. |
|
| 135 |
- |
|
| 136 | 120 |
- **`env`** *PluginEnv array* |
| 137 | 121 |
|
| 138 | 122 |
env of the plugin, struct consisting of the following fields |
| ... | ... |
@@ -165,6 +146,27 @@ Config provides the base accessible fields for working with V0 plugin format |
| 165 | 165 |
|
| 166 | 166 |
values of the args. |
| 167 | 167 |
|
| 168 |
+- **`linux`** *PluginLinux* |
|
| 169 |
+ |
|
| 170 |
+ - **`capabilities`** *string array* |
|
| 171 |
+ |
|
| 172 |
+ capabilities of the plugin (*Linux only*), see list [`here`](https://github.com/opencontainers/runc/blob/master/libcontainer/SPEC.md#security) |
|
| 173 |
+ |
|
| 174 |
+ - **`devices`** *PluginDevice array* |
|
| 175 |
+ |
|
| 176 |
+ device of the plugin, (*Linux only*), struct consisting of the following fields, see [`DEVICES`](https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#devices) |
|
| 177 |
+ |
|
| 178 |
+ - **`name`** *string* |
|
| 179 |
+ |
|
| 180 |
+ name of the device. |
|
| 181 |
+ |
|
| 182 |
+ - **`description`** *string* |
|
| 183 |
+ |
|
| 184 |
+ description of the device. |
|
| 185 |
+ |
|
| 186 |
+ - **`path`** *string* |
|
| 187 |
+ |
|
| 188 |
+ path of the device. |
|
| 168 | 189 |
|
| 169 | 190 |
## Example Config |
| 170 | 191 |
|
| 171 | 192 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,16 @@ |
| 0 |
+package oci |
|
| 1 |
+ |
|
| 2 |
+import specs "github.com/opencontainers/runtime-spec/specs-go" |
|
| 3 |
+ |
|
| 4 |
+// RemoveNamespace removes the `nsType` namespace from OCI spec `s` |
|
| 5 |
+func RemoveNamespace(s *specs.Spec, nsType specs.NamespaceType) {
|
|
| 6 |
+ idx := -1 |
|
| 7 |
+ for i, n := range s.Linux.Namespaces {
|
|
| 8 |
+ if n.Type == nsType {
|
|
| 9 |
+ idx = i |
|
| 10 |
+ } |
|
| 11 |
+ } |
|
| 12 |
+ if idx >= 0 {
|
|
| 13 |
+ s.Linux.Namespaces = append(s.Linux.Namespaces[:idx], s.Linux.Namespaces[idx+1:]...) |
|
| 14 |
+ } |
|
| 15 |
+} |
| ... | ... |
@@ -219,45 +219,45 @@ next: |
| 219 | 219 |
// ComputePrivileges takes the config file and computes the list of access necessary |
| 220 | 220 |
// for the plugin on the host. |
| 221 | 221 |
func (p *Plugin) ComputePrivileges() types.PluginPrivileges {
|
| 222 |
- m := p.PluginObj.Config |
|
| 222 |
+ c := p.PluginObj.Config |
|
| 223 | 223 |
var privileges types.PluginPrivileges |
| 224 |
- if m.Network.Type != "null" && m.Network.Type != "bridge" {
|
|
| 224 |
+ if c.Network.Type != "null" && c.Network.Type != "bridge" {
|
|
| 225 | 225 |
privileges = append(privileges, types.PluginPrivilege{
|
| 226 | 226 |
Name: "network", |
| 227 |
- Description: "", |
|
| 228 |
- Value: []string{m.Network.Type},
|
|
| 227 |
+ Description: "permissions to access a network", |
|
| 228 |
+ Value: []string{c.Network.Type},
|
|
| 229 | 229 |
}) |
| 230 | 230 |
} |
| 231 |
- for _, mount := range m.Mounts {
|
|
| 231 |
+ for _, mount := range c.Mounts {
|
|
| 232 | 232 |
if mount.Source != nil {
|
| 233 | 233 |
privileges = append(privileges, types.PluginPrivilege{
|
| 234 | 234 |
Name: "mount", |
| 235 |
- Description: "", |
|
| 235 |
+ Description: "host path to mount", |
|
| 236 | 236 |
Value: []string{*mount.Source},
|
| 237 | 237 |
}) |
| 238 | 238 |
} |
| 239 | 239 |
} |
| 240 |
- for _, device := range m.Linux.Devices {
|
|
| 240 |
+ for _, device := range c.Linux.Devices {
|
|
| 241 | 241 |
if device.Path != nil {
|
| 242 | 242 |
privileges = append(privileges, types.PluginPrivilege{
|
| 243 | 243 |
Name: "device", |
| 244 |
- Description: "", |
|
| 244 |
+ Description: "host device to access", |
|
| 245 | 245 |
Value: []string{*device.Path},
|
| 246 | 246 |
}) |
| 247 | 247 |
} |
| 248 | 248 |
} |
| 249 |
- if m.Linux.DeviceCreation {
|
|
| 249 |
+ if c.Linux.DeviceCreation {
|
|
| 250 | 250 |
privileges = append(privileges, types.PluginPrivilege{
|
| 251 | 251 |
Name: "device-creation", |
| 252 |
- Description: "", |
|
| 252 |
+ Description: "allow creating devices inside plugin", |
|
| 253 | 253 |
Value: []string{"true"},
|
| 254 | 254 |
}) |
| 255 | 255 |
} |
| 256 |
- if len(m.Linux.Capabilities) > 0 {
|
|
| 256 |
+ if len(c.Linux.Capabilities) > 0 {
|
|
| 257 | 257 |
privileges = append(privileges, types.PluginPrivilege{
|
| 258 | 258 |
Name: "capabilities", |
| 259 |
- Description: "", |
|
| 260 |
- Value: m.Linux.Capabilities, |
|
| 259 |
+ Description: "list of additional capabilities required", |
|
| 260 |
+ Value: c.Linux.Capabilities, |
|
| 261 | 261 |
}) |
| 262 | 262 |
} |
| 263 | 263 |
return privileges |
| ... | ... |
@@ -318,12 +318,7 @@ func (p *Plugin) InitSpec(s specs.Spec, libRoot string) (*specs.Spec, error) {
|
| 318 | 318 |
if p.PluginObj.Config.Network.Type != "" {
|
| 319 | 319 |
// TODO: if net == bridge, use libnetwork controller to create a new plugin-specific bridge, bind mount /etc/hosts and /etc/resolv.conf look at the docker code (allocateNetwork, initialize) |
| 320 | 320 |
if p.PluginObj.Config.Network.Type == "host" {
|
| 321 |
- for i, n := range s.Linux.Namespaces {
|
|
| 322 |
- if n.Type == "network" {
|
|
| 323 |
- s.Linux.Namespaces = append(s.Linux.Namespaces[:i], s.Linux.Namespaces[i+1:]...) |
|
| 324 |
- break |
|
| 325 |
- } |
|
| 326 |
- } |
|
| 321 |
+ oci.RemoveNamespace(&s, specs.NamespaceType("network"))
|
|
| 327 | 322 |
} |
| 328 | 323 |
etcHosts := "/etc/hosts" |
| 329 | 324 |
resolvConf := "/etc/resolv.conf" |
| ... | ... |
@@ -402,8 +397,6 @@ func (p *Plugin) InitSpec(s specs.Spec, libRoot string) (*specs.Spec, error) {
|
| 402 | 402 |
s.Process.Cwd = cwd |
| 403 | 403 |
s.Process.Env = envs |
| 404 | 404 |
|
| 405 |
- // TODO: what about duplicates? |
|
| 406 |
- // TODO: Should not need CAP_ prefix in manifest? |
|
| 407 | 405 |
s.Process.Capabilities = append(s.Process.Capabilities, p.PluginObj.Config.Linux.Capabilities...) |
| 408 | 406 |
|
| 409 | 407 |
return &s, nil |