diff options
5 files changed, 46 insertions, 15 deletions
diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java index 260e2da7c59..d95f7b7b8e1 100644 --- a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java +++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java @@ -107,7 +107,14 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { @Override public Docker.CreateContainerCommand withVolume(String path, String volumePath) { assert path.indexOf(':') == -1; - volumeBindSpecs.add(path + ":" + volumePath); + volumeBindSpecs.add(path + ":" + volumePath + ":Z"); + return this; + } + + @Override + public Docker.CreateContainerCommand withSharedVolume(String path, String volumePath) { + assert path.indexOf(':') == -1; + volumeBindSpecs.add(path + ":" + volumePath + ":z"); return this; } diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java index 91d5125eba3..5e8a0feb099 100644 --- a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java +++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java @@ -19,7 +19,30 @@ public interface Docker { interface CreateContainerCommand { CreateContainerCommand withLabel(String name, String value); CreateContainerCommand withEnvironment(String name, String value); + + /** + * Mounts a directory on host inside the docker container. + * + * <p>Bind mount content will be <b>private</b> to this container (and host) only. + * + * <p>When using this method and selinux is enabled (/usr/sbin/sestatus), starting + * multiple containers which mount host's /foo directory into the container, will make + * /foo's content visible/readable/writable only inside the container which was last + * started and on the host. All the other containers will get "Permission denied". + * + * <p>Use {@link #withSharedVolume(String, String)} to mount a given host directory + * into multiple containers. + */ CreateContainerCommand withVolume(String path, String volumePath); + + /** + * Mounts a directory on host inside the docker container. + * + * <p>The bind mount content will be <b>shared</b> among multiple containers. + * + * @see #withVolume(String, String) + */ + CreateContainerCommand withSharedVolume(String path, String volumePath); CreateContainerCommand withNetworkMode(String mode); CreateContainerCommand withIpAddress(InetAddress address); CreateContainerCommand withUlimit(String name, int softLimit, int hardLimit); diff --git a/docker-api/src/test/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImplTest.java b/docker-api/src/test/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImplTest.java index 0d8701ac43c..5ce8c6b093c 100644 --- a/docker-api/src/test/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImplTest.java +++ b/docker-api/src/test/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImplTest.java @@ -46,7 +46,7 @@ public class CreateContainerCommandImplTest { "--ulimit nproc=10:20 " + "--env env1=val1 " + "--env env2=val2 " + - "--volume vol1:/host/vol1 " + + "--volume vol1:/host/vol1:Z " + "--cap-add SYS_ADMIN " + "--cap-add SYS_PTRACE " + "--cap-drop NET_ADMIN " + diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java index f3b5dc9342a..e558cb5bdb2 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java @@ -87,33 +87,30 @@ public class DockerOperationsImpl implements DockerOperations { .withUlimit("nproc", 32_768, 409_600) .withUlimit("core", -1, -1) .withAddCapability("SYS_PTRACE") // Needed for gcore, pstack etc. - .withAddCapability("SYS_ADMIN") // Needed for perf - - // TODO: Fix. Run containers as privileged in AWS because mapped directories are on another device - .withPrivileged(environment.getCloud().equalsIgnoreCase("aws")); + .withAddCapability("SYS_ADMIN"); // Needed for perf if (environment.getNodeType() == NodeType.confighost || environment.getNodeType() == NodeType.proxyhost) { command.withVolume("/var/lib/sia", "/var/lib/sia"); } + if (environment.getNodeType() == NodeType.proxyhost) { + command.withVolume("/opt/yahoo/share/ssl/certs/", "/opt/yahoo/share/ssl/certs/"); + } + if (environment.getNodeType() == NodeType.host) { Path zpePathInNode = environment.pathInNodeUnderVespaHome("var/zpe"); if (environment.isRunningOnHost()) { - command.withVolume("/var/zpe", zpePathInNode.toString()); + command.withSharedVolume("/var/zpe", zpePathInNode.toString()); } else { command.withVolume(environment.pathInHostFromPathInNode(containerName, zpePathInNode).toString(), zpePathInNode.toString()); } } - if (environment.getNodeType() == NodeType.proxyhost) { - command.withVolume("/opt/yahoo/share/ssl/certs/", "/opt/yahoo/share/ssl/certs/"); - } - if (!docker.networkNATed()) { command.withIpAddress(ipV6Address); command.withNetworkMode(DockerImpl.DOCKER_CUSTOM_MACVLAN_NETWORK_NAME); - command.withVolume("/etc/hosts", "/etc/hosts"); + command.withSharedVolume("/etc/hosts", "/etc/hosts"); } else { InetAddress ipV6Prefix = InetAddresses.forString(IPV6_NPT_PREFIX); InetAddress ipV6Local = IPAddresses.prefixTranslate(ipV6Address, ipV6Prefix, 8); @@ -368,9 +365,6 @@ public class DockerOperationsImpl implements DockerOperations { directoriesToMount.put(environment.pathInNodeUnderVespaHome("var/db/vespa"), false); directoriesToMount.put(environment.pathInNodeUnderVespaHome("var/jdisc_container"), false); directoriesToMount.put(environment.pathInNodeUnderVespaHome("var/jdisc_core"), false); - if (environment.getNodeType() == NodeType.host) { - directoriesToMount.put(Paths.get("/var/lib/sia"), true); - } directoriesToMount.put(environment.pathInNodeUnderVespaHome("var/maven"), false); directoriesToMount.put(environment.pathInNodeUnderVespaHome("var/run"), false); directoriesToMount.put(environment.pathInNodeUnderVespaHome("var/scoreboards"), true); @@ -385,6 +379,8 @@ public class DockerOperationsImpl implements DockerOperations { directoriesToMount.put(environment.pathInNodeUnderVespaHome("var/container-data"), false); if (environment.getNodeType() == NodeType.proxyhost) directoriesToMount.put(environment.pathInNodeUnderVespaHome("var/vespa-hosted/routing"), true); + if (environment.getNodeType() == NodeType.host) + directoriesToMount.put(Paths.get("/var/lib/sia"), true); return Collections.unmodifiableMap(directoriesToMount); } diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/integrationTests/DockerMock.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/integrationTests/DockerMock.java index 9b9bb2af26c..4b4ef05593d 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/integrationTests/DockerMock.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/integrationTests/DockerMock.java @@ -167,6 +167,11 @@ public class DockerMock implements Docker { } @Override + public CreateContainerCommand withSharedVolume(String path, String volumePath) { + return this; + } + + @Override public CreateContainerCommand withNetworkMode(String mode) { return this; } |