// validate the container configuration and return an error if // restricted configurations are used. func (v *validateOp) validateConfig(node *parse.ContainerNode) error { if v.trusted { return nil } if node.Container.Privileged { return fmt.Errorf("Insufficient privileges to use privileged mode") } if len(node.Container.DNS) != 0 { return fmt.Errorf("Insufficient privileges to use custom dns") } if len(node.Container.DNSSearch) != 0 { return fmt.Errorf("Insufficient privileges to use dns_search") } if len(node.Container.Devices) != 0 { return fmt.Errorf("Insufficient privileges to use devices") } if len(node.Container.ExtraHosts) != 0 { return fmt.Errorf("Insufficient privileges to use extra_hosts") } if len(node.Container.Network) != 0 { return fmt.Errorf("Insufficient privileges to override the network") } if node.Container.OomKillDisable { return fmt.Errorf("Insufficient privileges to disable oom_kill") } if len(node.Container.Volumes) != 0 && node.Type() != parse.NodeCache { return fmt.Errorf("Insufficient privileges to use volumes") } if len(node.Container.VolumesFrom) != 0 { return fmt.Errorf("Insufficient privileges to use volumes_from") } return nil }
func (v *cacheOp) VisitContainer(node *parse.ContainerNode) error { if node.Type() != parse.NodeCache { return nil } if len(node.Vargs) == 0 || v.enable == false { node.Disabled = true return nil } if node.Container.Name == "" { node.Container.Name = "cache" } if node.Container.Image == "" { node.Container.Image = v.plugin } // discard any other cache properties except the image name. // everything else is discard for security reasons. node.Container = runner.Container{ Name: node.Container.Name, Alias: node.Container.Alias, Image: node.Container.Image, Volumes: []string{ v.mount + ":/cache", }, } // this is a hack until I can come up with a better solution. // this copies the clone name, and appends at the end of the // build. When it is executed a second time the build should // have a completed status, so it knows to cache instead // of restore. cache := node.Root().NewCacheNode() cache.Vargs = node.Vargs cache.Container = node.Container node.Root().Script = append(node.Root().Script, cache) return nil }
func (v *cloneOp) VisitContainer(node *parse.ContainerNode) error { if node.Type() != parse.NodeClone { return nil } if v.enable == false { node.Disabled = true return nil } if node.Container.Name == "" { node.Container.Name = "clone" } if node.Container.Image == "" { node.Container.Image = v.plugin } // discard any other cache properties except the image name. // everything else is discard for security reasons. node.Container = runner.Container{ Name: node.Container.Name, Image: node.Container.Image, } return nil }