Skip to content

Commit

Permalink
Add support for privileged containers #123
Browse files Browse the repository at this point in the history
This is required for mounting external volumes and
addresses errors such as `mount.nfs: Operation not permitted`

Be gentle, I don't normally use Python :)
  • Loading branch information
kvz committed Mar 13, 2014
1 parent b0ec54b commit 0f5a56b
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 6 deletions.
22 changes: 16 additions & 6 deletions fig/service.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,14 @@
log = logging.getLogger(__name__)


DOCKER_CONFIG_KEYS = ['image', 'command', 'hostname', 'user', 'detach', 'stdin_open', 'tty', 'mem_limit', 'ports', 'environment', 'dns', 'volumes', 'volumes_from', 'entrypoint']
DOCKER_CONFIG_KEYS = ['image', 'command', 'hostname', 'user', 'detach', 'stdin_open', 'tty', 'mem_limit', 'ports', 'environment', 'dns', 'volumes', 'volumes_from', 'entrypoint', 'privileged']
DOCKER_CONFIG_HINTS = {
'link': 'links',
'port': 'ports',
'volume': 'volumes',
'link' : 'links',
'port' : 'ports',
'privilege' : 'privileged',
'priviliged': 'privileged',
'privilige' : 'privileged',
'volume' : 'volumes',
}


Expand Down Expand Up @@ -126,7 +129,7 @@ def create_container(self, one_off=False, **override_options):
Create a container for this service. If the image doesn't exist, attempt to pull
it.
"""
container_options = self._get_container_options(override_options, one_off=one_off)
container_options = self._get_container_create_options(override_options, one_off=one_off)
try:
return Container.create(self.client, **container_options)
except APIError as e:
Expand Down Expand Up @@ -206,10 +209,13 @@ def start_container(self, container=None, **override_options):
external_dir, internal_dir = volume.split(':')
volume_bindings[os.path.abspath(external_dir)] = internal_dir

privileged = options.get('privileged', False)

container.start(
links=self._get_links(link_to_self=override_options.get('one_off', False)),
port_bindings=port_bindings,
binds=volume_bindings,
privileged=privileged,
)
return container

Expand Down Expand Up @@ -241,7 +247,7 @@ def _get_links(self, link_to_self):
links.append((container.name, container.name_without_project))
return links

def _get_container_options(self, override_options, one_off=False):
def _get_container_create_options(self, override_options, one_off=False):
container_options = dict((k, self.options[k]) for k in DOCKER_CONFIG_KEYS if k in self.options)
container_options.update(override_options)

Expand All @@ -267,6 +273,10 @@ def _get_container_options(self, override_options, one_off=False):
self.build()
container_options['image'] = self._build_tag_name()

# Priviliged is only required for starting containers, not for creating them
if 'privileged' in container_options:
del container_options['privileged']

return container_options

def build(self):
Expand Down
10 changes: 10 additions & 0 deletions tests/service_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,16 @@ def test_start_container_creates_ports(self):
self.assertEqual(list(container['NetworkSettings']['Ports'].keys()), ['8000/tcp'])
self.assertNotEqual(container['NetworkSettings']['Ports']['8000/tcp'][0]['HostPort'], '8000')

def test_start_container_stays_unpriviliged(self):
service = self.create_service('web')
container = service.start_container().inspect()
self.assertEqual(container['HostConfig']['Privileged'], False)

def test_start_container_becomes_priviliged(self):
service = self.create_service('web', privileged = True)
container = service.start_container().inspect()
self.assertEqual(container['HostConfig']['Privileged'], True)

def test_expose_does_not_publish_ports(self):
service = self.create_service('web', expose=[8000])
container = service.start_container().inspect()
Expand Down

0 comments on commit 0f5a56b

Please sign in to comment.