4fbcc668d0
This commit introduces support for configuring mount propagation when
mounting volumes with the `volume_mount` stanza on Linux targets.
Similar to Kubernetes, we expose 3 options for configuring mount
propagation:
- private, which is equivalent to `rprivate` on Linux, which does not allow the
container to see any new nested mounts after the chroot was created.
- host-to-task, which is equivalent to `rslave` on Linux, which allows new mounts
that have been created _outside of the container_ to be visible
inside the container after the chroot is created.
- bidirectional, which is equivalent to `rshared` on Linux, which allows both
the container to see new mounts created on the host, but
importantly _allows the container to create mounts that are
visible in other containers an don the host_
private and host-to-task are safe, but bidirectional mounts can be
dangerous, as if the code inside a container creates a mount, and does
not clean it up before tearing down the container, it can cause bad
things to happen inside the kernel.
To add a layer of safety here, we require that the user has ReadWrite
permissions on the volume before allowing bidirectional mounts, as a
defense in depth / validation case, although creating mounts should also require
a priviliged execution environment inside the container.
149 lines
2.8 KiB
Go
149 lines
2.8 KiB
Go
package structs
|
|
|
|
const (
|
|
VolumeTypeHost = "host"
|
|
)
|
|
|
|
const (
|
|
VolumeMountPropagationPrivate = "private"
|
|
VolumeMountPropagationHostToTask = "host-to-task"
|
|
VolumeMountPropagationBidirectional = "bidirectional"
|
|
)
|
|
|
|
func MountPropagationModeIsValid(propagationMode string) bool {
|
|
switch propagationMode {
|
|
case "", VolumeMountPropagationPrivate, VolumeMountPropagationHostToTask, VolumeMountPropagationBidirectional:
|
|
return true
|
|
default:
|
|
return false
|
|
}
|
|
}
|
|
|
|
// ClientHostVolumeConfig is used to configure access to host paths on a Nomad Client
|
|
type ClientHostVolumeConfig struct {
|
|
Name string `hcl:",key"`
|
|
Path string `hcl:"path"`
|
|
ReadOnly bool `hcl:"read_only"`
|
|
}
|
|
|
|
func (p *ClientHostVolumeConfig) Copy() *ClientHostVolumeConfig {
|
|
if p == nil {
|
|
return nil
|
|
}
|
|
|
|
c := new(ClientHostVolumeConfig)
|
|
*c = *p
|
|
return c
|
|
}
|
|
|
|
func CopyMapStringClientHostVolumeConfig(m map[string]*ClientHostVolumeConfig) map[string]*ClientHostVolumeConfig {
|
|
if m == nil {
|
|
return nil
|
|
}
|
|
|
|
nm := make(map[string]*ClientHostVolumeConfig, len(m))
|
|
for k, v := range m {
|
|
nm[k] = v.Copy()
|
|
}
|
|
|
|
return nm
|
|
}
|
|
|
|
func CopySliceClientHostVolumeConfig(s []*ClientHostVolumeConfig) []*ClientHostVolumeConfig {
|
|
l := len(s)
|
|
if l == 0 {
|
|
return nil
|
|
}
|
|
|
|
ns := make([]*ClientHostVolumeConfig, l)
|
|
for idx, cfg := range s {
|
|
ns[idx] = cfg.Copy()
|
|
}
|
|
|
|
return ns
|
|
}
|
|
|
|
func HostVolumeSliceMerge(a, b []*ClientHostVolumeConfig) []*ClientHostVolumeConfig {
|
|
n := make([]*ClientHostVolumeConfig, len(a))
|
|
seenKeys := make(map[string]int, len(a))
|
|
|
|
for i, config := range a {
|
|
n[i] = config.Copy()
|
|
seenKeys[config.Name] = i
|
|
}
|
|
|
|
for _, config := range b {
|
|
if fIndex, ok := seenKeys[config.Name]; ok {
|
|
n[fIndex] = config.Copy()
|
|
continue
|
|
}
|
|
|
|
n = append(n, config.Copy())
|
|
}
|
|
|
|
return n
|
|
}
|
|
|
|
// VolumeRequest is a representation of a storage volume that a TaskGroup wishes to use.
|
|
type VolumeRequest struct {
|
|
Name string
|
|
Type string
|
|
Source string
|
|
ReadOnly bool
|
|
}
|
|
|
|
func (v *VolumeRequest) Copy() *VolumeRequest {
|
|
if v == nil {
|
|
return nil
|
|
}
|
|
nv := new(VolumeRequest)
|
|
*nv = *v
|
|
|
|
return nv
|
|
}
|
|
|
|
func CopyMapVolumeRequest(s map[string]*VolumeRequest) map[string]*VolumeRequest {
|
|
if s == nil {
|
|
return nil
|
|
}
|
|
|
|
l := len(s)
|
|
c := make(map[string]*VolumeRequest, l)
|
|
for k, v := range s {
|
|
c[k] = v.Copy()
|
|
}
|
|
return c
|
|
}
|
|
|
|
// VolumeMount represents the relationship between a destination path in a task
|
|
// and the task group volume that should be mounted there.
|
|
type VolumeMount struct {
|
|
Volume string
|
|
Destination string
|
|
ReadOnly bool
|
|
PropagationMode string
|
|
}
|
|
|
|
func (v *VolumeMount) Copy() *VolumeMount {
|
|
if v == nil {
|
|
return nil
|
|
}
|
|
|
|
nv := new(VolumeMount)
|
|
*nv = *v
|
|
return nv
|
|
}
|
|
|
|
func CopySliceVolumeMount(s []*VolumeMount) []*VolumeMount {
|
|
l := len(s)
|
|
if l == 0 {
|
|
return nil
|
|
}
|
|
|
|
c := make([]*VolumeMount, l)
|
|
for i, v := range s {
|
|
c[i] = v.Copy()
|
|
}
|
|
return c
|
|
}
|