// validate the container configuration and return an error if
// restricted configurations are used.
func (v *validateOp) validateConfig(node *parse.ContainerNode) error {
if v.trusted {
return nil
}
if node.Container.Privileged {
return fmt.Errorf("Insufficient privileges to use privileged mode")
}
if len(node.Container.DNS) != 0 {
return fmt.Errorf("Insufficient privileges to use custom dns")
}
if len(node.Container.DNSSearch) != 0 {
return fmt.Errorf("Insufficient privileges to use dns_search")
}
if len(node.Container.Devices) != 0 {
return fmt.Errorf("Insufficient privileges to use devices")
}
if len(node.Container.ExtraHosts) != 0 {
return fmt.Errorf("Insufficient privileges to use extra_hosts")
}
if len(node.Container.Network) != 0 {
return fmt.Errorf("Insufficient privileges to override the network")
}
if node.Container.OomKillDisable {
return fmt.Errorf("Insufficient privileges to disable oom_kill")
}
if len(node.Container.Volumes) != 0 && node.Type() != parse.NodeCache {
return fmt.Errorf("Insufficient privileges to use volumes")
}
if len(node.Container.VolumesFrom) != 0 {
return fmt.Errorf("Insufficient privileges to use volumes_from")
}
return nil
}
func (v *filterOp) visitMatrix(node *parse.ContainerNode) {
for key, val := range node.Conditions.Matrix {
if v.matrix[key] != val {
node.Disabled = true
break
}
}
}
// visitEvent is a helper function that disables container steps
// when the build event conditions are not satisfied.
func (v *filterOp) visitEvent(node *parse.ContainerNode) {
if len(node.Conditions.Event) == 0 {
return
}
for _, pattern := range node.Conditions.Event {
if ok, _ := filepath.Match(pattern, v.event); ok {
return
}
}
node.Disabled = true
}
// visitPlatform is a helper function that disables container steps
// when the build event conditions are not satisfied.
func (v *filterOp) visitPlatform(node *parse.ContainerNode) {
if len(node.Conditions.Platform) == 0 {
return
}
for _, pattern := range node.Conditions.Platform {
if ok, _ := filepath.Match(pattern, v.platform); ok {
return
}
}
node.Disabled = true
}
func (v *cacheOp) VisitContainer(node *parse.ContainerNode) error {
if node.Type() != parse.NodeCache {
return nil
}
if len(node.Vargs) == 0 || v.enable == false {
node.Disabled = true
return nil
}
if node.Container.Name == "" {
node.Container.Name = "cache"
}
if node.Container.Image == "" {
node.Container.Image = v.plugin
}
// discard any other cache properties except the image name.
// everything else is discard for security reasons.
node.Container = runner.Container{
Name: node.Container.Name,
Alias: node.Container.Alias,
Image: node.Container.Image,
Volumes: []string{
v.mount + ":/cache",
},
}
// this is a hack until I can come up with a better solution.
// this copies the clone name, and appends at the end of the
// build. When it is executed a second time the build should
// have a completed status, so it knows to cache instead
// of restore.
cache := node.Root().NewCacheNode()
cache.Vargs = node.Vargs
cache.Container = node.Container
node.Root().Script = append(node.Root().Script, cache)
return nil
}
func (v *shellOp) VisitContainer(node *parse.ContainerNode) error {
if node.NodeType != parse.NodeShell {
return nil
}
node.Container.Entrypoint = []string{
"/bin/sh", "-c",
}
node.Container.Command = []string{
"echo $DRONE_SCRIPT | base64 -d | /bin/sh -e",
}
if node.Container.Environment == nil {
node.Container.Environment = map[string]string{}
}
node.Container.Environment["HOME"] = "/root"
node.Container.Environment["SHELL"] = "/bin/sh"
node.Container.Environment["DRONE_SCRIPT"] = toScript(
node.Root().Path,
node.Commands,
)
return nil
}
func (v *cloneOp) VisitContainer(node *parse.ContainerNode) error {
if node.Type() != parse.NodeClone {
return nil
}
if v.enable == false {
node.Disabled = true
return nil
}
if node.Container.Name == "" {
node.Container.Name = "clone"
}
if node.Container.Image == "" {
node.Container.Image = v.plugin
}
// discard any other cache properties except the image name.
// everything else is discard for security reasons.
node.Container = runner.Container{
Name: node.Container.Name,
Image: node.Container.Image,
}
return nil
}
