diff options
author | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-03-08 14:02:53 +0100 |
---|---|---|
committer | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-03-08 14:02:53 +0100 |
commit | f5721b6dd9ad37f08928cb33ffa8cbd848bb6036 (patch) | |
tree | 17e796e6c7c4d73588f3c2beabd83d5c78c3f77b /docker-api/src | |
parent | b24341afc0cba1dc9e1a1d5249e1268961c8da19 (diff) |
Add method to set docker container security options
Diffstat (limited to 'docker-api/src')
-rw-r--r-- | docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java | 14 | ||||
-rw-r--r-- | docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java | 1 |
2 files changed, 13 insertions, 2 deletions
diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java index 5a8785328c7..d6f5ccbbea8 100644 --- a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java +++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java @@ -15,6 +15,7 @@ import java.nio.file.Path; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.ArrayList; +import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -39,6 +40,7 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { private final List<Ulimit> ulimits = new ArrayList<>(); private final Set<Capability> addCapabilities = new HashSet<>(); private final Set<Capability> dropCapabilities = new HashSet<>(); + private final Set<String> securityOpts = new HashSet<>(); private Optional<String> hostName = Optional.empty(); private Optional<ContainerResources> containerResources = Optional.empty(); @@ -91,6 +93,12 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { } @Override + public Docker.CreateContainerCommand withSecurityOpts(String securityOpt) { + securityOpts.add(securityOpt); + return this; + } + + @Override public Docker.CreateContainerCommand withPrivileged(boolean privileged) { this.privileged = privileged; return this; @@ -157,7 +165,8 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { private CreateContainerCmd createCreateContainerCmd() { List<Bind> volumeBinds = volumeBindSpecs.stream().map(Bind::parse).collect(Collectors.toList()); - final HostConfig hostConfig = new HostConfig(); + final HostConfig hostConfig = new HostConfig() + .withSecurityOpts(new ArrayList<>(securityOpts)); containerResources.ifPresent(cr -> hostConfig .withCpuShares(cr.cpuShares()) @@ -193,7 +202,7 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { } /** Maps ("--env", {"A", "B", "C"}) to "--env A --env B --env C" */ - private static String toRepeatedOption(String option, List<String> optionValues) { + private static String toRepeatedOption(String option, Collection<String> optionValues) { return optionValues.stream() .map(optionValue -> option + " " + optionValue) .collect(Collectors.joining(" ")); @@ -234,6 +243,7 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { toRepeatedOption("--volume", volumeBindSpecs), toRepeatedOption("--cap-add", addCapabilitiesList), toRepeatedOption("--cap-drop", dropCapabilitiesList), + toRepeatedOption("--security-opt", securityOpts), toOptionalOption("--net", networkMode), toOptionalOption("--ip", ipv4Address), toOptionalOption("--ip6", ipv6Address), diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java index f4cd1d770fb..4f454520897 100644 --- a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java +++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java @@ -50,6 +50,7 @@ public interface Docker { CreateContainerCommand withManagedBy(String manager); CreateContainerCommand withAddCapability(String capabilityName); CreateContainerCommand withDropCapability(String capabilityName); + CreateContainerCommand withSecurityOpts(String securityOpt); CreateContainerCommand withPrivileged(boolean privileged); void create(); |