Merge pull request #47 from Roblox/host_dns

Add host_dns flag into TaskConfig.

README.md

@@ -88,6 +88,7 @@ More detailed instructions are in the [`example README.md`](https://github.com/R
 | **command** | string | no | Command to override command defined in the image. |
 | **args** | []string | no | Arguments to the command. |
 | **privileged** | bool | no | Run container in privileged mode. Your container will have all linux capabilities when running in privileged mode. |
+| **host_dns** | bool | no | Default (`true`). By default, a container launched using `containerd-driver` will use host `/etc/resolv.conf`. This is similar to [`docker behavior`](https://docs.docker.com/config/containers/container-networking/#dns-services). However, if you don't want to use host DNS, you can turn off this flag by setting `host_dns=false`. |
 | **seccomp** | bool | no | Enable default seccomp profile. List of [`allowed syscalls`](https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51-L390). |
 | **seccomp_profile** | string | no | Path to custom seccomp profile. `seccomp` must be set to `true` in order to use `seccomp_profile`. The default `docker` seccomp profile found [`here`](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) can be used as a reference, and modified to create a custom seccomp profile. |
 | **readonly_rootfs** | bool | no | Container root filesystem will be read-only. |

containerd/containerd.go

@@ -142,6 +142,12 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
 		mounts = append(mounts, m)
 	}
 
+	// Setup host DNS (/etc/resolv.conf) into the container.
+	if config.HostDNS {
+		dnsMount := buildMountpoint("bind", "/etc/resolv.conf", "/etc/resolv.conf", []string{"rbind", "ro"})
+		mounts = append(mounts, dnsMount)
+	}
+
 	// Setup "/secrets" (NOMAD_SECRETS_DIR) in the container.
 	if containerConfig.SecretsDir != "" {
 		secretsMount := buildMountpoint("bind", "/secrets", containerConfig.SecretsDir, []string{"rbind", "ro"})

containerd/driver.go

@@ -85,13 +85,17 @@ var (
 	// this is used to validate the configuration specified for the plugin
 	// when a job is submitted.
 	taskConfigSpec = hclspec.NewObject(map[string]*hclspec.Spec{
-		"image":           hclspec.NewAttr("image", "string", true),
-		"command":         hclspec.NewAttr("command", "string", false),
-		"args":            hclspec.NewAttr("args", "list(string)", false),
-		"cap_add":         hclspec.NewAttr("cap_add", "list(string)", false),
-		"cap_drop":        hclspec.NewAttr("cap_drop", "list(string)", false),
-		"devices":         hclspec.NewAttr("devices", "list(string)", false),
-		"privileged":      hclspec.NewAttr("privileged", "bool", false),
+		"image":      hclspec.NewAttr("image", "string", true),
+		"command":    hclspec.NewAttr("command", "string", false),
+		"args":       hclspec.NewAttr("args", "list(string)", false),
+		"cap_add":    hclspec.NewAttr("cap_add", "list(string)", false),
+		"cap_drop":   hclspec.NewAttr("cap_drop", "list(string)", false),
+		"devices":    hclspec.NewAttr("devices", "list(string)", false),
+		"privileged": hclspec.NewAttr("privileged", "bool", false),
+		"host_dns": hclspec.NewDefault(
+			hclspec.NewAttr("host_dns", "bool", false),
+			hclspec.NewLiteral("true"),
+		),
 		"seccomp":         hclspec.NewAttr("seccomp", "bool", false),
 		"seccomp_profile": hclspec.NewAttr("seccomp_profile", "string", false),
 		"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
@@ -146,6 +150,7 @@ type TaskConfig struct {
 	Seccomp        bool     `codec:"seccomp"`
 	SeccompProfile string   `codec:"seccomp_profile"`
 	Privileged     bool     `codec:"privileged"`
+	HostDNS        bool     `codec:"host_dns"`
 	ReadOnlyRootfs bool     `codec:"readonly_rootfs"`
 	HostNetwork    bool     `codec:"host_network"`
 	Mounts         []Mount  `codec:"mounts"`