openstack/kolla-ansible
Code Issues Proposed changes

Adding ability to specify capabilities and security

Browse Source 
This patch adds ability to specify required capabilities and security
mode for a specific docker container.

Change-Id: Ib8c15a8e354178bedd31ebb31a64618431f0e135
Closes-Bug: #1572648
This commit is contained in:
Serguei Bezverkhi 2016-04-20 12:13:36 -04:00
parent 3bb62d9d5a
commit a08a762f30
1 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
ansible/library/kolla_docker.py
View File

@ -98,6 +98,18 @@ options:
default: None default: None
choices: choices:
- host - host
cap_add:
description:
- Add capabilities to docker container
required: False
type: list
default: list()
security_opt:
description:
- Set container security profile
required: False
type: list
default: list()
labels: labels:
description: description:
- List of labels to apply to container - List of labels to apply to container
@ -252,6 +264,8 @@ class DockerWorker(object):
def check_container_differs(self): def check_container_differs(self):
container_info = self.get_container_info() container_info = self.get_container_info()
return ( return (
self.compare_cap_add(container_info) or
self.compare_security_opt(container_info) or
self.compare_image(container_info) or self.compare_image(container_info) or
self.compare_ipc_mode(container_info) or self.compare_ipc_mode(container_info) or
self.compare_labels(container_info) or self.compare_labels(container_info) or
@ -271,6 +285,24 @@ class DockerWorker(object):
if new_ipc_mode != current_ipc_mode: if new_ipc_mode != current_ipc_mode:
return True return True
def compare_cap_add(self, container_info):
new_cap_add = self.params.get('cap_add', list())
current_cap_add = container_info['HostConfig'].get('CapAdd',
list())
if not current_cap_add:
current_cap_add = list()
if set(new_cap_add).symmetric_difference(set(current_cap_add)):
return True
def compare_security_opt(self, container_info):
new_sec_opt = self.params.get('security_opt', list())
current_sec_opt = container_info['HostConfig'].get('SecurityOpt',
list())
if not current_sec_opt:
current_sec_opt = list()
if set(new_sec_opt).symmetric_difference(set(current_sec_opt)):
return True
def compare_pid_mode(self, container_info): def compare_pid_mode(self, container_info):
new_pid_mode = self.params.get('pid_mode') new_pid_mode = self.params.get('pid_mode')
current_pid_mode = container_info['HostConfig'].get('PidMode') current_pid_mode = container_info['HostConfig'].get('PidMode')
@ -467,6 +499,8 @@ class DockerWorker(object):
options = { options = {
'network_mode': 'host', 'network_mode': 'host',
'ipc_mode': self.params.get('ipc_mode'), 'ipc_mode': self.params.get('ipc_mode'),
'cap_add': self.params.get('cap_add'),
'security_opt': self.params.get('security_opt'),
'pid_mode': self.params.get('pid_mode'), 'pid_mode': self.params.get('pid_mode'),
'privileged': self.params.get('privileged'), 'privileged': self.params.get('privileged'),
'volumes_from': self.params.get('volumes_from') 'volumes_from': self.params.get('volumes_from')
@ -627,6 +661,8 @@ def generate_module():
environment=dict(required=False, type='dict'), environment=dict(required=False, type='dict'),
image=dict(required=False, type='str'), image=dict(required=False, type='str'),
ipc_mode=dict(required=False, type='str', choices=['host']), ipc_mode=dict(required=False, type='str', choices=['host']),
cap_add=dict(required=False, type='list', default=list()),
security_opt=dict(required=False, type='list', default=list()),
pid_mode=dict(required=False, type='str', choices=['host']), pid_mode=dict(required=False, type='str', choices=['host']),
privileged=dict(required=False, type='bool', default=False), privileged=dict(required=False, type='bool', default=False),
remove_on_exit=dict(required=False, type='bool', default=True), remove_on_exit=dict(required=False, type='bool', default=True),