func (dg *DockerGoClient) CreateContainer(config *docker.Config, hostConfig *docker.HostConfig, name string) DockerContainerMetadata { timeout := ttime.After(createContainerTimeout) hostConfig.Privileged = true ctx, cancelFunc := context.WithCancel(context.TODO()) // Could pass one through from engine response := make(chan DockerContainerMetadata, 1) go func() { response <- dg.createContainer(ctx, config, hostConfig, name) }() select { case resp := <-response: return resp case <-timeout: cancelFunc() return DockerContainerMetadata{Error: &DockerTimeoutError{createContainerTimeout, "created"}} } }
func (dg *DockerGoClient) createContainer(ctx context.Context, config *docker.Config, hostConfig *docker.HostConfig, name string) DockerContainerMetadata { client := dg.dockerClient hostConfig.Privileged = true containerOptions := docker.CreateContainerOptions{Config: config, HostConfig: hostConfig, Name: name} dockerContainer, err := client.CreateContainer(containerOptions) select { case <-ctx.Done(): // Parent function already timed out; no need to get container metadata return DockerContainerMetadata{} default: } if err != nil { return DockerContainerMetadata{Error: CannotXContainerError{"Create", err.Error()}} } return dg.containerMetadata(dockerContainer.ID) }
// ModifyHostConfig is called before the Docker runContainer call. // The security context provider can make changes to the HostConfig, affecting // security options, whether the container is privileged, volume binds, etc. func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig) { // Apply pod security context if container.Name != leaky.PodInfraContainerName && pod.Spec.SecurityContext != nil { // TODO: We skip application of supplemental groups to the // infra container to work around a runc issue which // requires containers to have the '/etc/group'. For // more information see: // https://github.com/opencontainers/runc/pull/313 // This can be removed once the fix makes it into the // required version of docker. if pod.Spec.SecurityContext.SupplementalGroups != nil { hostConfig.GroupAdd = make([]string, len(pod.Spec.SecurityContext.SupplementalGroups)) for i, group := range pod.Spec.SecurityContext.SupplementalGroups { hostConfig.GroupAdd[i] = strconv.Itoa(int(group)) } } if pod.Spec.SecurityContext.FSGroup != nil { hostConfig.GroupAdd = append(hostConfig.GroupAdd, strconv.Itoa(int(*pod.Spec.SecurityContext.FSGroup))) } } // Apply effective security context for container effectiveSC := DetermineEffectiveSecurityContext(pod, container) if effectiveSC == nil { return } if effectiveSC.Privileged != nil { hostConfig.Privileged = *effectiveSC.Privileged } if effectiveSC.Capabilities != nil { add, drop := MakeCapabilities(effectiveSC.Capabilities.Add, effectiveSC.Capabilities.Drop) hostConfig.CapAdd = add hostConfig.CapDrop = drop } if effectiveSC.SELinuxOptions != nil { hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelUser, effectiveSC.SELinuxOptions.User) hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelRole, effectiveSC.SELinuxOptions.Role) hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelType, effectiveSC.SELinuxOptions.Type) hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelLevel, effectiveSC.SELinuxOptions.Level) } }
// ModifyHostConfig is called before the Docker runContainer call. // The security context provider can make changes to the HostConfig, affecting // security options, whether the container is privileged, volume binds, etc. // An error is returned if it's not possible to secure the container as requested // with a security context. func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig) { if container.SecurityContext == nil { return } if container.SecurityContext.Privileged != nil { hostConfig.Privileged = *container.SecurityContext.Privileged } if container.SecurityContext.Capabilities != nil { add, drop := makeCapabilites(container.SecurityContext.Capabilities.Add, container.SecurityContext.Capabilities.Drop) hostConfig.CapAdd = add hostConfig.CapDrop = drop } if container.SecurityContext.SELinuxOptions != nil { hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelUser, container.SecurityContext.SELinuxOptions.User) hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelRole, container.SecurityContext.SELinuxOptions.Role) hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelType, container.SecurityContext.SELinuxOptions.Type) hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelLevel, container.SecurityContext.SELinuxOptions.Level) } }