adding in updates
This commit is contained in:
nathan wagner
@@ -87,7 +87,7 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
|
||||
securityOpts = append(securityOpts, fmt.Sprintf("%s=%q", k, v))
|
||||
}
|
||||
if len(securityOpts) > 0 {
|
||||
fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(securityOpts, " "))
|
||||
fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(driverOpts, " "))
|
||||
}
|
||||
|
||||
if err := n.Err; err != nil {
|
||||
|
||||
@@ -8,7 +8,6 @@ import (
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync/atomic"
|
||||
"time"
|
||||
@@ -42,7 +41,6 @@ type Driver struct {
|
||||
netMode string
|
||||
image string
|
||||
cgroupParent string
|
||||
securityOpts map[string]string
|
||||
env []string
|
||||
}
|
||||
|
||||
@@ -114,7 +112,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
|
||||
useInit := true // let it cleanup exited processes created by BuildKit's container API
|
||||
if err := l.Wrap("creating container "+d.Name, func() error {
|
||||
hc := &container.HostConfig{
|
||||
Privileged: true,
|
||||
Privileged: false,
|
||||
Mounts: []mount.Mount{
|
||||
{
|
||||
Type: mount.TypeVolume,
|
||||
@@ -128,13 +126,6 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
|
||||
hc.NetworkMode = container.NetworkMode(d.netMode)
|
||||
}
|
||||
if info, err := d.DockerAPI.Info(ctx); err == nil {
|
||||
secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
|
||||
l.Wrap("driverOpts"+info.CgroupDriver, func() error {
|
||||
return nil
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if info.CgroupDriver == "cgroupfs" {
|
||||
// Place all buildkit containers inside this cgroup by default so limits can be attached
|
||||
// to all build activity on the host.
|
||||
@@ -143,27 +134,23 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
|
||||
hc.CgroupParent = d.cgroupParent
|
||||
}
|
||||
}
|
||||
secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
for _, f := range secOpts {
|
||||
if f.Name == "userns" {
|
||||
hc.UsernsMode = "host"
|
||||
break
|
||||
}
|
||||
}
|
||||
for i, k := range d.securityOpts {
|
||||
switch {
|
||||
case i == "systempaths":
|
||||
hc.MaskedPaths = []string{}
|
||||
hc.ReadonlyPaths = []string{}
|
||||
case i == "privileged":
|
||||
val, err := strconv.ParseBool(k)
|
||||
if err != nil {
|
||||
return errors.Errorf("invalid value privleged security option, options are true/false")
|
||||
}
|
||||
hc.Privileged = val
|
||||
default:
|
||||
hc.SecurityOpt = append(hc.SecurityOpt, i+"="+k)
|
||||
}
|
||||
}
|
||||
hc.SecurityOpt = append(hc.SecurityOpt, "seccomp=unconfined")
|
||||
hc.SecurityOpt = append(hc.SecurityOpt, "apparmor=unconfined")
|
||||
hc.Privileged = false
|
||||
//hc.SecurityOpt = append(hc.SecurityOpt, "systempaths=unconfined")
|
||||
hc.MaskedPaths = []string{}
|
||||
hc.ReadonlyPaths = []string{}
|
||||
//cfg.Env= append(cfg.Env,"systempaths=unconfined")
|
||||
}
|
||||
_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
|
||||
if err != nil && !errdefs.IsConflict(err) {
|
||||
|
||||
@@ -40,7 +40,6 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
|
||||
return nil, errors.Errorf("%s driver requires docker API access", f.Name())
|
||||
}
|
||||
d := &Driver{factory: f, InitConfig: cfg}
|
||||
d.securityOpts = make(map[string]string)
|
||||
for k, v := range cfg.DriverOpts {
|
||||
switch {
|
||||
case k == "network":
|
||||
@@ -58,32 +57,11 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
|
||||
return nil, errors.Errorf("invalid env option %q, expecting env.FOO=bar", k)
|
||||
}
|
||||
d.env = append(d.env, fmt.Sprintf("%s=%s", envName, v))
|
||||
case k == "seccomp":
|
||||
d.securityOpts[k] = v
|
||||
case k == "apparmor":
|
||||
d.securityOpts[k] = v
|
||||
case k == "systempaths":
|
||||
d.securityOpts[k] = v
|
||||
case k == "privileged":
|
||||
d.securityOpts[k] = v
|
||||
default:
|
||||
return nil, errors.Errorf("invalid driver option %s for docker-container driver", k)
|
||||
}
|
||||
}
|
||||
for i, _ := range cfg.SecurityOpts {
|
||||
switch {
|
||||
case i == "seccomp":
|
||||
continue
|
||||
case i == "apparmor":
|
||||
continue
|
||||
case i == "systempaths":
|
||||
continue
|
||||
case i == "privileged":
|
||||
continue
|
||||
default:
|
||||
return nil, errors.Errorf("invalid Security option %s for docker-container driver", i)
|
||||
}
|
||||
}
|
||||
|
||||
return d, nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user