Skip to content

Commit

Permalink
rkt: allow specifying --group
Browse files Browse the repository at this point in the history
  • Loading branch information
schmichael committed Mar 15, 2018
1 parent 7440e23 commit 04b0ebc
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 24 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ IMPROVEMENTS:
* driver/docker: Support adding or dropping capabilities [[GH-3754](https://github.com/hashicorp/nomad/issues/3754)]
* driver/docker: Support mounting root filesystem as read-only [[GH-3802](https://github.com/hashicorp/nomad/issues/3802)]
* driver/lxc: Add volumes config to LXC driver [[GH-3687](https://github.com/hashicorp/nomad/issues/3687)]
* driver/rkt: Allow overriding group [[GH-3990](https://github.com/hashicorp/nomad/issues/3990)]
* telemetry: Support DataDog tags [[GH-3839](https://github.com/hashicorp/nomad/issues/3839)]

BUG FIXES:
Expand Down
14 changes: 12 additions & 2 deletions client/driver/rkt.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,9 @@ type RktDriverConfig struct {
Volumes []string `mapstructure:"volumes"` // Host-Volumes to mount in, syntax: /path/to/host/directory:/destination/path/in/container[:readOnly]
InsecureOptions []string `mapstructure:"insecure_options"` // list of args for --insecure-options

NoOverlay bool `mapstructure:"no_overlay"` // disable overlayfs for rkt run
Debug bool `mapstructure:"debug"` // Enable debug option for rkt command
NoOverlay bool `mapstructure:"no_overlay"` // disable overlayfs for rkt run
Debug bool `mapstructure:"debug"` // Enable debug option for rkt command
Group string `mapstructure:"group"` // Group override for the container
}

// rktHandle is returned from Start/Open as a handle to the PID
Expand Down Expand Up @@ -294,6 +295,9 @@ func (d *RktDriver) Validate(config map[string]interface{}) error {
"insecure_options": {
Type: fields.TypeArray,
},
"group": {
Type: fields.TypeString,
},
},
}

Expand Down Expand Up @@ -577,6 +581,12 @@ func (d *RktDriver) Start(ctx *ExecContext, task *structs.Task) (*StartResponse,
prepareArgs = append(prepareArgs, fmt.Sprintf("--user=%s", task.User))
}

// There's no task-level parameter for groups so check the driver
// config for a custom group
if driverConfig.Group != "" {
prepareArgs = append(prepareArgs, fmt.Sprintf("--group=%s", driverConfig.Group))
}

// Add user passed arguments.
if len(driverConfig.Args) != 0 {
parsed := ctx.TaskEnv.ParseAndReplace(driverConfig.Args)
Expand Down
58 changes: 36 additions & 22 deletions client/driver/rkt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -344,25 +344,25 @@ func TestRktDriver_Start_Wait_AllocDir(t *testing.T) {
}
}

func TestRktDriverUser(t *testing.T) {
assert := assert.New(t)
// TestRktDriver_UserGroup asserts tasks may override the user and group of the
// rkt image.
func TestRktDriver_UserGroup(t *testing.T) {
if !testutil.IsTravis() {
t.Parallel()
}
if os.Getenv("NOMAD_TEST_RKT") == "" {
t.Skip("skipping rkt tests")
}

ctestutils.RktCompatible(t)
require := assert.New(t)

task := &structs.Task{
Name: "etcd",
Driver: "rkt",
User: "alice",
User: "nobody",
Config: map[string]interface{}{
"trust_prefix": "coreos.com/etcd",
"image": "coreos.com/etcd:v2.0.4",
"command": "/etcd",
"args": []string{"--version"},
"image": "docker://redis:3.2",
"group": "nogroup",
},
LogConfig: &structs.LogConfig{
MaxFiles: 10,
Expand All @@ -374,23 +374,37 @@ func TestRktDriverUser(t *testing.T) {
},
}

ctx := testDriverContexts(t, task)
defer ctx.AllocDir.Destroy()
d := NewRktDriver(ctx.DriverCtx)
tctx := testDriverContexts(t, task)
defer tctx.AllocDir.Destroy()
d := NewRktDriver(tctx.DriverCtx)

_, err := d.Prestart(ctx.ExecCtx, task)
assert.Nil(err)
resp, err := d.Start(ctx.ExecCtx, task)
assert.Nil(err)
_, err := d.Prestart(tctx.ExecCtx, task)
require.Nil(err)
resp, err := d.Start(tctx.ExecCtx, task)
require.Nil(err)
defer resp.Handle.Kill()

select {
case res := <-resp.Handle.WaitCh():
assert.False(res.Successful())
case <-time.After(time.Duration(testutil.TestMultiplier()*15) * time.Second):
t.Fatalf("timeout")
}
timeout := time.Duration(testutil.TestMultiplier()*15) * time.Second

ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()

// WaitUntil we can determine the user/group redis is running as
expected := []byte(`redis-server *:6379 redis redis`)
testutil.WaitForResult(func() (bool, error) {
raw, code, err := resp.Handle.Exec(ctx, "/bin/bash", []string{"-c", "ps -eo args,uid,gid | grep ^redis"})
if err != nil {
return false, err
}
if code != 0 {
return false, fmt.Errorf("unexpected exit code: %d", code)
}
return !bytes.Equal(expected, raw), fmt.Errorf("expected %q but found %q", expected, raw)
}, func(err error) {
t.Fatalf("err: %v", err)
})

require.Nil(resp.Handle.Kill())
}

func TestRktTrustPrefix(t *testing.T) {
Expand Down Expand Up @@ -476,7 +490,7 @@ func TestRktDriver_PortsMapping(t *testing.T) {
Name: "etcd",
Driver: "rkt",
Config: map[string]interface{}{
"image": "docker://redis:latest",
"image": "docker://redis:3.2",
"port_map": []map[string]string{
{
"main": "6379-tcp",
Expand Down

0 comments on commit 04b0ebc

Please sign in to comment.