Merge pull request #7 from Roblox/args

Add support for TaskConfig flags.
2020-06-24 09:59:07 -07:00 · 2020-06-24 09:59:07 -07:00 · eec5ca2478
commit eec5ca2478
parent 14f75eb459 ed9d748e47
4 changed files with 103 additions and 6 deletions
--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@ -1,6 +1,8 @@
 package containerd

 import (
+	"fmt"
+
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/oci"
@ -18,13 +20,40 @@ func (d *Driver) pullImage(imageName string) (containerd.Image, error) {
 	return d.client.Pull(d.ctxContainerd, imageName, containerd.WithPullUnpack)
 }

-func (d *Driver) createContainer(image containerd.Image, containerName, containerSnapshotName, containerdRuntime string, env []string) (containerd.Container, error) {
+func (d *Driver) createContainer(image containerd.Image, containerName, containerSnapshotName, containerdRuntime string, env []string, config *TaskConfig) (containerd.Container, error) {
+	if config.Command == "" && len(config.Args) > 0 {
+		return nil, fmt.Errorf("Command is empty. Cannot set --args without --command.")
+	}
+
+	var args []string
+	if config.Command != "" {
+		args = append(args, config.Command)
+	}
+
+	if len(config.Args) > 0 {
+		args = append(args, config.Args...)
+	}
+
+	var opts []oci.SpecOpts
+
+	opts = append(opts, oci.WithImageConfigArgs(image, args))
+
+	if len(config.CapAdd) > 0 {
+		opts = append(opts, oci.WithAddedCapabilities(config.CapAdd))
+	}
+
+	if len(config.CapDrop) > 0 {
+		opts = append(opts, oci.WithDroppedCapabilities(config.CapDrop))
+	}
+
+	opts = append(opts, oci.WithEnv(env))
+
 	return d.client.NewContainer(
 		d.ctxContainerd,
 		containerName,
 		containerd.WithRuntime(containerdRuntime, nil),
 		containerd.WithNewSnapshot(containerSnapshotName, image),
-		containerd.WithNewSpec(oci.WithImageConfig(image), oci.WithEnv(env)),
+		containerd.WithNewSpec(opts...),
 	)
 }

--- a/containerd/driver.go
+++ b/containerd/driver.go
@ -69,7 +69,11 @@ var (
 	// this is used to validate the configuration specified for the plugin
 	// when a job is submitted.
 	taskConfigSpec = hclspec.NewObject(map[string]*hclspec.Spec{
-		"image": hclspec.NewAttr("image", "string", true),
+		"image":    hclspec.NewAttr("image", "string", true),
+		"command":  hclspec.NewAttr("command", "string", false),
+		"args":     hclspec.NewAttr("args", "list(string)", false),
+		"cap_add":  hclspec.NewAttr("cap_add", "list(string)", false),
+		"cap_drop": hclspec.NewAttr("cap_drop", "list(string)", false),
 	})

 	// capabilities indicates what optional features this driver supports
@ -92,7 +96,11 @@ type Config struct {
 // TaskConfig contains configuration information for a task that runs with
 // this plugin
 type TaskConfig struct {
-	Image string `codec:"image"`
+	Image   string   `codec:"image"`
+	Command string   `codec:"command"`
+	Args    []string `codec:"args"`
+	CapAdd  []string `codec:"cap_add"`
+	CapDrop []string `codec:"cap_drop"`
 }

 // TaskState is the runtime state which is encoded in the handle returned to
@ -302,7 +310,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	}

 	containerSnapshotName := fmt.Sprintf("%s-snapshot", containerName)
-	container, err := d.createContainer(image, containerName, containerSnapshotName, d.config.ContainerdRuntime, env)
+	container, err := d.createContainer(image, containerName, containerSnapshotName, d.config.ContainerdRuntime, env, &driverConfig)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Error in creating container: %v", err)
 	}
--- a/example/README.md
+++ b/example/README.md
@ -8,7 +8,7 @@ $ nomad job run redis.nomad
 ```
 will start a `redis` server using `nomad-driver-containerd`

-### Exec into redis container
+**Exec into redis container**

 ```
 $ nomad job status redis
@ -60,3 +60,38 @@ While the container is running, you can check the stats using:
 ```
 $ nomad alloc status -stats <allocation_id>
 ```
+
+## Capabilities
+
+```
+$ nomad job run capabilities.nomad
+```
+will start an `ubuntu:16.04` container using `nomad-driver-containerd`.
+This container sleeps for 10 mins (600 seconds) and add (and drop) the following capabilities.
+
+**New capabilities added:**
+```
+CAP_SYS_ADMIN
+CAP_IPC_OWNER
+CAP_IPC_LOCK
+```
+**Existing capabilities dropped:**
+```
+CAP_CHOWN
+CAP_SYS_CHROOT
+CAP_DAC_OVERRIDE
+```
+**Exec into capabilities container to check capabilities**
+
+```
+$ nomad job status capabilities
+```
+Copy the allocation ID from the output of `nomad job status` command.
+
+```
+$ nomad alloc exec -i -t <allocation_id> /bin/bash
+```
+Print capabilities (Inside the container)
+```
+$ capsh --print
+```
--- a/example/capabilities.nomad
+++ b/example/capabilities.nomad
@ -0,0 +1,25 @@
+job "capabilities" {
+  datacenters = ["dc1"]
+
+  group "capabilities-group" {
+    task "capabilities-task" {
+      driver = "containerd-driver"
+
+      config {
+        image    = "docker.io/library/ubuntu:16.04"
+        command  = "sleep"
+        args     = ["600s"]
+        cap_add  = ["CAP_SYS_ADMIN", "CAP_IPC_OWNER", "CAP_IPC_LOCK"]
+        cap_drop = ["CAP_CHOWN", "CAP_SYS_CHROOT", "CAP_DAC_OVERRIDE"]
+      }
+
+      resources {
+        cpu    = 500
+        memory = 256
+        network {
+          mbits = 10
+        }
+      }
+    }
+  }
+}