func (dg *DockerGoClient) CreateContainer(config *docker.Config, hostConfig *docker.HostConfig, name string) DockerContainerMetadata {
timeout := ttime.After(createContainerTimeout)
hostConfig.Privileged = true
ctx, cancelFunc := context.WithCancel(context.TODO()) // Could pass one through from engine
response := make(chan DockerContainerMetadata, 1)
go func() { response <- dg.createContainer(ctx, config, hostConfig, name) }()
select {
case resp := <-response:
return resp
case <-timeout:
cancelFunc()
return DockerContainerMetadata{Error: &DockerTimeoutError{createContainerTimeout, "created"}}
}
}
func (dg *DockerGoClient) createContainer(ctx context.Context, config *docker.Config, hostConfig *docker.HostConfig, name string) DockerContainerMetadata {
client := dg.dockerClient
hostConfig.Privileged = true
containerOptions := docker.CreateContainerOptions{Config: config, HostConfig: hostConfig, Name: name}
dockerContainer, err := client.CreateContainer(containerOptions)
select {
case <-ctx.Done():
// Parent function already timed out; no need to get container metadata
return DockerContainerMetadata{}
default:
}
if err != nil {
return DockerContainerMetadata{Error: CannotXContainerError{"Create", err.Error()}}
}
return dg.containerMetadata(dockerContainer.ID)
}
// ModifyHostConfig is called before the Docker runContainer call.
// The security context provider can make changes to the HostConfig, affecting
// security options, whether the container is privileged, volume binds, etc.
func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig) {
// Apply pod security context
if container.Name != leaky.PodInfraContainerName && pod.Spec.SecurityContext != nil {
// TODO: We skip application of supplemental groups to the
// infra container to work around a runc issue which
// requires containers to have the '/etc/group'. For
// more information see:
// https://github.com/opencontainers/runc/pull/313
// This can be removed once the fix makes it into the
// required version of docker.
if pod.Spec.SecurityContext.SupplementalGroups != nil {
hostConfig.GroupAdd = make([]string, len(pod.Spec.SecurityContext.SupplementalGroups))
for i, group := range pod.Spec.SecurityContext.SupplementalGroups {
hostConfig.GroupAdd[i] = strconv.Itoa(int(group))
}
}
if pod.Spec.SecurityContext.FSGroup != nil {
hostConfig.GroupAdd = append(hostConfig.GroupAdd, strconv.Itoa(int(*pod.Spec.SecurityContext.FSGroup)))
}
}
// Apply effective security context for container
effectiveSC := DetermineEffectiveSecurityContext(pod, container)
if effectiveSC == nil {
return
}
if effectiveSC.Privileged != nil {
hostConfig.Privileged = *effectiveSC.Privileged
}
if effectiveSC.Capabilities != nil {
add, drop := MakeCapabilities(effectiveSC.Capabilities.Add, effectiveSC.Capabilities.Drop)
hostConfig.CapAdd = add
hostConfig.CapDrop = drop
}
if effectiveSC.SELinuxOptions != nil {
hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelUser, effectiveSC.SELinuxOptions.User)
hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelRole, effectiveSC.SELinuxOptions.Role)
hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelType, effectiveSC.SELinuxOptions.Type)
hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelLevel, effectiveSC.SELinuxOptions.Level)
}
}
// ModifyHostConfig is called before the Docker runContainer call.
// The security context provider can make changes to the HostConfig, affecting
// security options, whether the container is privileged, volume binds, etc.
// An error is returned if it's not possible to secure the container as requested
// with a security context.
func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig) {
if container.SecurityContext == nil {
return
}
if container.SecurityContext.Privileged != nil {
hostConfig.Privileged = *container.SecurityContext.Privileged
}
if container.SecurityContext.Capabilities != nil {
add, drop := makeCapabilites(container.SecurityContext.Capabilities.Add, container.SecurityContext.Capabilities.Drop)
hostConfig.CapAdd = add
hostConfig.CapDrop = drop
}
if container.SecurityContext.SELinuxOptions != nil {
hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelUser, container.SecurityContext.SELinuxOptions.User)
hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelRole, container.SecurityContext.SELinuxOptions.Role)
hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelType, container.SecurityContext.SELinuxOptions.Type)
hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelLevel, container.SecurityContext.SELinuxOptions.Level)
}
}
