Merge pull request #132 from kvz/privileged

Add support for privileged containers #123
2014-03-13 13:42:52 +00:00 · 2014-03-13 13:42:52 +00:00 · a96ab41739
parent c1d9e5156f 0f5a56b3c2
commit a96ab41739
2 changed files with 26 additions and 6 deletions
--- a/fig/service.py
+++ b/fig/service.py
@ -10,11 +10,14 @@ from .container import Container
 log = logging.getLogger(__name__)


-DOCKER_CONFIG_KEYS = ['image', 'command', 'hostname', 'user', 'detach', 'stdin_open', 'tty', 'mem_limit', 'ports', 'environment', 'dns', 'volumes', 'volumes_from', 'entrypoint']
+DOCKER_CONFIG_KEYS = ['image', 'command', 'hostname', 'user', 'detach', 'stdin_open', 'tty', 'mem_limit', 'ports', 'environment', 'dns', 'volumes', 'volumes_from', 'entrypoint', 'privileged']
 DOCKER_CONFIG_HINTS = {
-    'link': 'links',
-    'port': 'ports',
-    'volume': 'volumes',
+    'link'      : 'links',
+    'port'      : 'ports',
+    'privilege' : 'privileged',
+    'priviliged': 'privileged',
+    'privilige' : 'privileged',
+    'volume'    : 'volumes',
 }


@ -126,7 +129,7 @@ class Service(object):
        Create a container for this service. If the image doesn't exist, attempt to pull
        it.
        """
-        container_options = self._get_container_options(override_options, one_off=one_off)
+        container_options = self._get_container_create_options(override_options, one_off=one_off)
        try:
            return Container.create(self.client, **container_options)
        except APIError as e:
@ -206,10 +209,13 @@ class Service(object):
                    external_dir, internal_dir = volume.split(':')
                    volume_bindings[os.path.abspath(external_dir)] = internal_dir

+        privileged = options.get('privileged', False)
+
        container.start(
            links=self._get_links(link_to_self=override_options.get('one_off', False)),
            port_bindings=port_bindings,
            binds=volume_bindings,
+            privileged=privileged,
        )
        return container

@ -241,7 +247,7 @@ class Service(object):
                links.append((container.name, container.name_without_project))
        return links

-    def _get_container_options(self, override_options, one_off=False):
+    def _get_container_create_options(self, override_options, one_off=False):
        container_options = dict((k, self.options[k]) for k in DOCKER_CONFIG_KEYS if k in self.options)
        container_options.update(override_options)

@ -267,6 +273,10 @@ class Service(object):
                self.build()
            container_options['image'] = self._build_tag_name()

+        # Priviliged is only required for starting containers, not for creating them
+        if 'privileged' in container_options:
+            del container_options['privileged']
+
        return container_options

    def build(self):
--- a/tests/service_test.py
+++ b/tests/service_test.py
@ -217,6 +217,16 @@ class ServiceTest(DockerClientTestCase):
        self.assertEqual(list(container['NetworkSettings']['Ports'].keys()), ['8000/tcp'])
        self.assertNotEqual(container['NetworkSettings']['Ports']['8000/tcp'][0]['HostPort'], '8000')

+    def test_start_container_stays_unpriviliged(self):
+        service = self.create_service('web')
+        container = service.start_container().inspect()
+        self.assertEqual(container['HostConfig']['Privileged'], False)
+
+    def test_start_container_becomes_priviliged(self):
+        service = self.create_service('web', privileged = True)
+        container = service.start_container().inspect()
+        self.assertEqual(container['HostConfig']['Privileged'], True)
+
    def test_expose_does_not_publish_ports(self):
        service = self.create_service('web', expose=[8000])
        container = service.start_container().inspect()