Added ability to disable privileged mode for containers (fixes #251)

aerokube · Oct 27, 2017 · 6913fb5 · 6913fb5
1 parent 3b537ce
commit 6913fb5
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 2 deletions.
diff --git a/main.go b/main.go
@@ -73,6 +73,7 @@ var (
 	confPath                 string
 	logConfPath              string
 	captureDriverLogs        bool
+	disablePrivileged        bool
 	conf                     *config.Config
 	queue                    *protect.Queue
 	manager                  service.Manager
@@ -105,6 +106,7 @@ func init() {
 	flag.Var(&cpu, "cpu", "Containers cpu limit as float e.g. 0.2 or 1.0")
 	flag.StringVar(&containerNetwork, "container-network", "default", "Network to be used for containers")
 	flag.BoolVar(&captureDriverLogs, "capture-driver-logs", false, "Whether to add driver process logs to Selenoid output")
+	flag.BoolVar(&disablePrivileged, "disable-privileged", false, "Whether to disable privileged container mode")
 	flag.Parse()
 
 	if version {
@@ -142,6 +144,7 @@ func init() {
 		Network:           containerNetwork,
 		StartupTimeout:    serviceStartupTimeout,
 		CaptureDriverLogs: captureDriverLogs,
+		Privileged:        !disablePrivileged,
 	}
 	if disableDocker {
 		manager = &service.DefaultManager{Environment: &environment, Config: conf}

diff --git a/service/docker.go b/service/docker.go
@@ -13,12 +13,16 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/strslice"
 	"github.com/docker/docker/client"
 	"github.com/docker/go-connections/nat"
 	"strings"
 )
 
-const comma = ","
+const (
+	comma    = ","
+	sysAdmin = "SYS_ADMIN"
+)
 
 // Docker - docker container manager
 type Docker struct {
@@ -54,13 +58,16 @@ func (d *Docker) StartWithCancel() (*StartedService, error) {
 		NetworkMode:  container.NetworkMode(d.Network),
 		Tmpfs:        d.Service.Tmpfs,
 		ShmSize:      getShmSize(d.Service),
-		Privileged:   true,
+		Privileged:   d.Privileged,
 		Resources: container.Resources{
 			Memory:   d.Memory,
 			NanoCPUs: d.CPU,
 		},
 		ExtraHosts: getExtraHosts(d.Service, d.Caps),
 	}
+	if !d.Privileged {
+		hostConfig.CapAdd = strslice.StrSlice{sysAdmin}
+	}
 	if d.ApplicationContainers != "" {
 		links := strings.Split(d.ApplicationContainers, comma)
 		hostConfig.Links = links

diff --git a/service/service.go b/service/service.go
@@ -22,6 +22,7 @@ type Environment struct {
 	Hostname          string
 	StartupTimeout    time.Duration
 	CaptureDriverLogs bool
+	Privileged        bool
 }
 
 // ServiceBase - stores fields required by all services

diff --git a/service_test.go b/service_test.go
@@ -177,6 +177,7 @@ func testEnvironment() *service.Environment {
 		Network:           containerNetwork,
 		StartupTimeout:    serviceStartupTimeout,
 		CaptureDriverLogs: captureDriverLogs,
+		Privileged:        false,
 	}
 }