Add ability to map devices into containers when permitted for spawnpo…

…int daemon (closes #30)
SoftwareDefinedBuildings · Oct 14, 2017 · 83ae6af · 83ae6af
1 parent c534058
commit 83ae6af
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -94,8 +94,13 @@ Currently, the valid parameters are:
   interface. Note that this represents a major security risk. Don't enable this
   unless you are very confident that you need it.
 
-A typical Spawnpoint configuration file might look as follows. Note that the
-`localRouter` parameter is omitted, and thus it takes on the default value.
+* `allowDeviceMappings` (optional): If enabled, this allows devices on a
+  Spawnpoint host (e.g. `/dev/tty1`) to be mapped into containers running on
+  that host. This allows containers to access these devices. Note that this
+  represents a security risk. Don't enable this feature unless you understand
+  the consequences and are confident that you need it.
+
+A typical Spawnpoint configuration file might look as follows.
 ```yaml
 entity: ~/bosswave/spawnpointTest.key
 path: scratch.ns/spawnpoint/alpha

diff --git a/installer/README.md b/installer/README.md
@@ -11,7 +11,7 @@ Currently, the script only supports 64-bit Ubuntu Linux installations that use
 when run on other platforms.
 
 Additionally, the installer currently does not configure the metadata that is
-advertised by the spawnpoint. To do this, you must edit `/etc/spawnd/metadat.yml`
+advertised by the spawnpoint. To do this, you must edit `/etc/spawnd/metadata.yml`
 manually.
 
 This script will then take the following steps:
@@ -40,8 +40,8 @@ This script will then take the following steps:
   7. Start up the new `spawnd` service, after enabling it to start on boot as
      well.
 
-### What about host networking?
-In general, allowing containers to use the host network is discouraged unless
-you know what you are doing. Therefore, it is disabled by the installer by
-default, but the installer will not change your old settings when performing
-an update.
+### What about host networking and mapping devices?
+In general, allowing containers to use the host network or to directly access
+host devices is discouraged unless you know what you are doing. Therefore, it is
+disabled by the installer by default, but the installer will not change your old
+settings when performing an update.
diff --git a/installer/installer.sh b/installer/installer.sh
@@ -109,6 +109,7 @@ if [ ! -e /etc/spawnd/config.yml ]; then
 	localRouter: 172.17.0.1:28589
 	containerRouter: 172.17.0.1:28589
 	allowHostNet: false
+	allowDeviceMappings: false
 	EOF
 
     entity=''

diff --git a/spawnctl/main.go b/spawnctl/main.go
@@ -20,7 +20,7 @@ import (
 	"github.com/urfave/cli"
 )
 
-const versionNum = `0.3.7`
+const versionNum = `0.3.8`
 
 type prevDeployment struct {
 	URI        string

diff --git a/spawnd/daemonconfig.go b/spawnd/daemonconfig.go
@@ -1,12 +1,13 @@
 package main
 
 type DaemonConfig struct {
-	Entity          string `yaml:"entity"`
-	Alias           string `yaml:"alias"`
-	Path            string `yaml:"path"`
-	LocalRouter     string `yaml:"localRouter"`
-	ContainerRouter string `yaml:"containerRouter"`
-	MemAlloc        string `yaml:"memAlloc"`
-	CPUShares       uint64 `yaml:"cpuShares"`
-	AllowHostNet    bool   `yaml:"allowHostNet"`
+	Entity              string `yaml:"entity"`
+	Alias               string `yaml:"alias"`
+	Path                string `yaml:"path"`
+	LocalRouter         string `yaml:"localRouter"`
+	ContainerRouter     string `yaml:"containerRouter"`
+	MemAlloc            string `yaml:"memAlloc"`
+	CPUShares           uint64 `yaml:"cpuShares"`
+	AllowHostNet        bool   `yaml:"allowHostNet"`
+	AllowDeviceMappings bool   `yaml:"allowDeviceMappings"`
 }
diff --git a/spawnd/docker.go b/spawnd/docker.go
@@ -131,10 +131,11 @@ func RestartContainer(alias string, cfg *Manifest, bwRouter string, rebuildImg b
 	var containerDevices []docker.Device
 	if len(cfg.Devices) > 0 {
 		containerDevices = make([]docker.Device, len(cfg.Devices))
-		for i, device := range cfg.Devices {
+		for i, devicePath := range cfg.Devices {
 			containerDevices[i] = docker.Device{
-				PathOnHost:      device,
-				PathInContainer: device,
+				PathOnHost:        devicePath,
+				PathInContainer:   devicePath,
+				CgroupPermissions: "rwm",
 			}
 		}
 	}

diff --git a/spawnd/main.go b/spawnd/main.go
@@ -24,7 +24,7 @@ import (
 	yaml "gopkg.in/yaml.v2"
 )
 
-const versionNum = `0.5.4`
+const versionNum = `0.5.5`
 const defaultZombiePeriod = 2 * time.Minute
 const persistEnvVar = "SPAWND_PERSIST_DIR"
 const logReaderBufSize = 1024
@@ -514,8 +514,14 @@ func handleConfig(id int, msg *bw2.SimpleMessage) {
 	}
 
 	if trueCfg.UseHostNet && !cfgs[id].AllowHostNet {
-		alias := cfgs[id].Alias
-		err := fmt.Errorf("Spawnpoint %s does not allow use of host network stack", alias)
+		err := fmt.Errorf("Spawnpoint %s does not allow use of host network stack",
+			cfgs[id].Alias)
+		panic(err)
+	}
+
+	if len(trueCfg.Devices) > 0 && !cfgs[id].AllowDeviceMappings {
+		err := fmt.Errorf("Spawnpoint %s does not allow host devices to be mapped into containers",
+			cfgs[id].Alias)
 		panic(err)
 	}