From 0f5a56b3c20b477eeda99a24add2a4c54a1655f7 Mon Sep 17 00:00:00 2001 From: Kevin van Zonneveld Date: Tue, 4 Mar 2014 00:51:24 +0100 Subject: [PATCH] Add support for privileged containers #123 This is required for mounting external volumes and addresses errors such as `mount.nfs: Operation not permitted` Be gentle, I don't normally use Python :) --- fig/service.py | 22 ++++++++++++++++------ tests/service_test.py | 10 ++++++++++ 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/fig/service.py b/fig/service.py index 0675a697617..51ec004baf4 100644 --- a/fig/service.py +++ b/fig/service.py @@ -10,11 +10,14 @@ log = logging.getLogger(__name__) -DOCKER_CONFIG_KEYS = ['image', 'command', 'hostname', 'user', 'detach', 'stdin_open', 'tty', 'mem_limit', 'ports', 'environment', 'dns', 'volumes', 'volumes_from', 'entrypoint'] +DOCKER_CONFIG_KEYS = ['image', 'command', 'hostname', 'user', 'detach', 'stdin_open', 'tty', 'mem_limit', 'ports', 'environment', 'dns', 'volumes', 'volumes_from', 'entrypoint', 'privileged'] DOCKER_CONFIG_HINTS = { - 'link': 'links', - 'port': 'ports', - 'volume': 'volumes', + 'link' : 'links', + 'port' : 'ports', + 'privilege' : 'privileged', + 'priviliged': 'privileged', + 'privilige' : 'privileged', + 'volume' : 'volumes', } @@ -126,7 +129,7 @@ def create_container(self, one_off=False, **override_options): Create a container for this service. If the image doesn't exist, attempt to pull it. """ - container_options = self._get_container_options(override_options, one_off=one_off) + container_options = self._get_container_create_options(override_options, one_off=one_off) try: return Container.create(self.client, **container_options) except APIError as e: @@ -206,10 +209,13 @@ def start_container(self, container=None, **override_options): external_dir, internal_dir = volume.split(':') volume_bindings[os.path.abspath(external_dir)] = internal_dir + privileged = options.get('privileged', False) + container.start( links=self._get_links(link_to_self=override_options.get('one_off', False)), port_bindings=port_bindings, binds=volume_bindings, + privileged=privileged, ) return container @@ -241,7 +247,7 @@ def _get_links(self, link_to_self): links.append((container.name, container.name_without_project)) return links - def _get_container_options(self, override_options, one_off=False): + def _get_container_create_options(self, override_options, one_off=False): container_options = dict((k, self.options[k]) for k in DOCKER_CONFIG_KEYS if k in self.options) container_options.update(override_options) @@ -267,6 +273,10 @@ def _get_container_options(self, override_options, one_off=False): self.build() container_options['image'] = self._build_tag_name() + # Priviliged is only required for starting containers, not for creating them + if 'privileged' in container_options: + del container_options['privileged'] + return container_options def build(self): diff --git a/tests/service_test.py b/tests/service_test.py index b19901a9cd7..5e8fe3ba3c6 100644 --- a/tests/service_test.py +++ b/tests/service_test.py @@ -217,6 +217,16 @@ def test_start_container_creates_ports(self): self.assertEqual(list(container['NetworkSettings']['Ports'].keys()), ['8000/tcp']) self.assertNotEqual(container['NetworkSettings']['Ports']['8000/tcp'][0]['HostPort'], '8000') + def test_start_container_stays_unpriviliged(self): + service = self.create_service('web') + container = service.start_container().inspect() + self.assertEqual(container['HostConfig']['Privileged'], False) + + def test_start_container_becomes_priviliged(self): + service = self.create_service('web', privileged = True) + container = service.start_container().inspect() + self.assertEqual(container['HostConfig']['Privileged'], True) + def test_expose_does_not_publish_ports(self): service = self.create_service('web', expose=[8000]) container = service.start_container().inspect()