// validate the container configuration and return an error if
// restricted configurations are used.
func (v *validateOp) validateConfig(node *parse.ContainerNode) error {
if v.trusted {
return nil
}
if node.Container.Privileged {
return fmt.Errorf("Insufficient privileges to use privileged mode")
}
if len(node.Container.DNS) != 0 {
return fmt.Errorf("Insufficient privileges to use custom dns")
}
if len(node.Container.DNSSearch) != 0 {
return fmt.Errorf("Insufficient privileges to use dns_search")
}
if len(node.Container.Devices) != 0 {
return fmt.Errorf("Insufficient privileges to use devices")
}
if len(node.Container.ExtraHosts) != 0 {
return fmt.Errorf("Insufficient privileges to use extra_hosts")
}
if len(node.Container.Network) != 0 {
return fmt.Errorf("Insufficient privileges to override the network")
}
if node.Container.OomKillDisable {
return fmt.Errorf("Insufficient privileges to disable oom_kill")
}
if len(node.Container.Volumes) != 0 && node.Type() != parse.NodeCache {
return fmt.Errorf("Insufficient privileges to use volumes")
}
if len(node.Container.VolumesFrom) != 0 {
return fmt.Errorf("Insufficient privileges to use volumes_from")
}
return nil
}
func (v *cacheOp) VisitContainer(node *parse.ContainerNode) error {
if node.Type() != parse.NodeCache {
return nil
}
if len(node.Vargs) == 0 || v.enable == false {
node.Disabled = true
return nil
}
if node.Container.Name == "" {
node.Container.Name = "cache"
}
if node.Container.Image == "" {
node.Container.Image = v.plugin
}
// discard any other cache properties except the image name.
// everything else is discard for security reasons.
node.Container = runner.Container{
Name: node.Container.Name,
Alias: node.Container.Alias,
Image: node.Container.Image,
Volumes: []string{
v.mount + ":/cache",
},
}
// this is a hack until I can come up with a better solution.
// this copies the clone name, and appends at the end of the
// build. When it is executed a second time the build should
// have a completed status, so it knows to cache instead
// of restore.
cache := node.Root().NewCacheNode()
cache.Vargs = node.Vargs
cache.Container = node.Container
node.Root().Script = append(node.Root().Script, cache)
return nil
}
func (v *cloneOp) VisitContainer(node *parse.ContainerNode) error {
if node.Type() != parse.NodeClone {
return nil
}
if v.enable == false {
node.Disabled = true
return nil
}
if node.Container.Name == "" {
node.Container.Name = "clone"
}
if node.Container.Image == "" {
node.Container.Image = v.plugin
}
// discard any other cache properties except the image name.
// everything else is discard for security reasons.
node.Container = runner.Container{
Name: node.Container.Name,
Image: node.Container.Image,
}
return nil
}
