Updated `priviliged` option, added client `priviliged` option

- Added error checking on priviliged mode.
- Added `docker.privileged.enabled` to client config/fingerprint

client/driver/docker.go

@@ -74,6 +74,15 @@ func (d *DockerDriver) Fingerprint(cfg *config.Config, node *structs.Node) (bool
 		return false, nil
 	}
 
+	privileged, err = strconv.ParseBool(d.config.ReadDefault("docker.privileged.enabled", "false"))
+	if err != nil {
+		return false, fmt.Errorf("Unable to parse docker.privileged.enabled: %s", err)
+	}
+	if privileged == true {
+		d.logger.Printf("[DEBUG] driver.docker: privileged containers enabled. Only enable if needed")
+		node.Attributes["docker.privileged.enabled"] = "1"
+	}
+
 	_, err = strconv.ParseBool(d.config.ReadDefault("docker.cleanup.container", "true"))
 	if err != nil {
 		return false, fmt.Errorf("Unable to parse docker.cleanup.container: %s", err)
@@ -167,8 +176,14 @@ func (d *DockerDriver) createContainer(ctx *ExecContext, task *structs.Task) (do
 	d.logger.Printf("[DEBUG] driver.docker: using %d cpu shares for %s", hostConfig.CPUShares, task.Config["image"])
 	d.logger.Printf("[DEBUG] driver.docker: binding directories %#v for %s", hostConfig.Binds, task.Config["image"])
 
-	//  set privileged (fallback to false)
+	//  set privileged mode
-	hostConfig.Privileged, _ = strconv.ParseBool(task.Config["privileged"])
+	if v, ok := task.Config["privileged"]; ok {
+		taskPrivileged, err := strconv.ParseBool(v)
+		if err != nil {
+			return hostConfig, fmt.Errorf("Unable to parse boolean value from task config option 'privileged': %s", err)
+		}
+		hostConfig.Privileged = taskPrivileged
+	}
 
 	// set DNS servers
 	dns, ok := task.Config["dns-servers"]

website/source/docs/drivers/docker.html.md

@@ -34,6 +34,8 @@ The `docker` driver supports the following configuration in the job specificatio
 
 * `privileged` - (optional) Privileged mode gives the container full access to 
    the host. Valid options are `"true"` and `"false"` (defaults to `"false"`).
+   In order to use privileged mode, a client with the option 
+   `docker.privileged.enabled = "true"` must be available.
 
 * `dns-servers` - (optional) A comma separated list of DNS servers for the container 
    to use (e.g. "8.8.8.8,8.8.4.4"). *Docker API v1.10 and above only*
@@ -139,6 +141,11 @@ The `docker` driver has the following configuration options:
 * `docker.cleanup.image` Defaults to `true`. Changing this to `false` will
   prevent Nomad from removing images from stopped tasks.
 
+* `docker.privileged.enabled` Defaults to `false`. Changing this to `true` will
+   allow containers to use "privileged" mode, which gives the containers full access
+   to the host
+
+
 Note: When testing or using the `-dev` flag you can use `DOCKER_HOST`,
 `DOCKER_TLS_VERIFY`, and `DOCKER_CERT_PATH` to customize Nomad's behavior. In
 production Nomad will always read `docker.endpoint`.