diff options
3 files changed, 18 insertions, 2 deletions
diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java index 5a8785328c7..d6f5ccbbea8 100644 --- a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java +++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java @@ -15,6 +15,7 @@ import java.nio.file.Path; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.ArrayList; +import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -39,6 +40,7 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { private final List<Ulimit> ulimits = new ArrayList<>(); private final Set<Capability> addCapabilities = new HashSet<>(); private final Set<Capability> dropCapabilities = new HashSet<>(); + private final Set<String> securityOpts = new HashSet<>(); private Optional<String> hostName = Optional.empty(); private Optional<ContainerResources> containerResources = Optional.empty(); @@ -91,6 +93,12 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { } @Override + public Docker.CreateContainerCommand withSecurityOpts(String securityOpt) { + securityOpts.add(securityOpt); + return this; + } + + @Override public Docker.CreateContainerCommand withPrivileged(boolean privileged) { this.privileged = privileged; return this; @@ -157,7 +165,8 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { private CreateContainerCmd createCreateContainerCmd() { List<Bind> volumeBinds = volumeBindSpecs.stream().map(Bind::parse).collect(Collectors.toList()); - final HostConfig hostConfig = new HostConfig(); + final HostConfig hostConfig = new HostConfig() + .withSecurityOpts(new ArrayList<>(securityOpts)); containerResources.ifPresent(cr -> hostConfig .withCpuShares(cr.cpuShares()) @@ -193,7 +202,7 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { } /** Maps ("--env", {"A", "B", "C"}) to "--env A --env B --env C" */ - private static String toRepeatedOption(String option, List<String> optionValues) { + private static String toRepeatedOption(String option, Collection<String> optionValues) { return optionValues.stream() .map(optionValue -> option + " " + optionValue) .collect(Collectors.joining(" ")); @@ -234,6 +243,7 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand { toRepeatedOption("--volume", volumeBindSpecs), toRepeatedOption("--cap-add", addCapabilitiesList), toRepeatedOption("--cap-drop", dropCapabilitiesList), + toRepeatedOption("--security-opt", securityOpts), toOptionalOption("--net", networkMode), toOptionalOption("--ip", ipv4Address), toOptionalOption("--ip6", ipv6Address), diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java index f4cd1d770fb..4f454520897 100644 --- a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java +++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/Docker.java @@ -50,6 +50,7 @@ public interface Docker { CreateContainerCommand withManagedBy(String manager); CreateContainerCommand withAddCapability(String capabilityName); CreateContainerCommand withDropCapability(String capabilityName); + CreateContainerCommand withSecurityOpts(String securityOpt); CreateContainerCommand withPrivileged(boolean privileged); void create(); diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/integrationTests/DockerMock.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/integrationTests/DockerMock.java index 87b07ca4ed9..5d6d2e5e99e 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/integrationTests/DockerMock.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/integrationTests/DockerMock.java @@ -180,6 +180,11 @@ public class DockerMock implements Docker { } @Override + public CreateContainerCommand withSecurityOpts(String securityOpt) { + return this; + } + + @Override public CreateContainerCommand withPrivileged(boolean privileged) { return this; } |