From 791a86c45ed6f7758421ec1cb4064409a0cb72f2 Mon Sep 17 00:00:00 2001 From: Michael Kuryshev Date: Sat, 11 Jul 2020 17:02:31 +0200 Subject: [PATCH] builder/docker: runner support for --cap-add, --cap-drop, --tmpfs --- builder/docker/config.go | 6 ++++++ builder/docker/config.hcl2spec.go | 6 ++++++ builder/docker/driver.go | 3 +++ builder/docker/driver_docker.go | 9 +++++++++ builder/docker/step_run.go | 3 +++ .../partials/builder/docker/Config-not-required.mdx | 6 ++++++ 6 files changed, 33 insertions(+) diff --git a/builder/docker/config.go b/builder/docker/config.go index 872b72b43..8a2fde3fb 100644 --- a/builder/docker/config.go +++ b/builder/docker/config.go @@ -43,6 +43,10 @@ type Config struct { // the [artifice // post-processor](/docs/post-processors/artifice). Discard bool `mapstructure:"discard" required:"true"` + // An array of additional Linux capabilities to grant to the container. + CapAdd []string `mapstructure:"cap_add" required:"false"` + // An array of Linux capabilities to drop from the container. + CapDrop []string `mapstructure:"cap_drop" required:"false"` // Username (UID) to run remote commands with. You can also set the group // name/ID if you want: (UID or UID:GID). You may need this if you get // permission errors trying to run the shell or other provisioners. @@ -75,6 +79,8 @@ type Config struct { // docker image embeds a binary intended to be run often, you should // consider changing the default entrypoint to point to it. RunCommand []string `mapstructure:"run_command" required:"false"` + // An array of additional tmpfs volumes to mount into this container. + TmpFs []string `mapstructure:"tmpfs" required:"false"` // A mapping of additional volumes to mount into this container. The key of // the object is the host path, the value is the container path. Volumes map[string]string `mapstructure:"volumes" required:"false"` diff --git a/builder/docker/config.hcl2spec.go b/builder/docker/config.hcl2spec.go index a75b0a2b8..64707a083 100644 --- a/builder/docker/config.hcl2spec.go +++ b/builder/docker/config.hcl2spec.go @@ -67,6 +67,8 @@ type FlatConfig struct { Commit *bool `mapstructure:"commit" required:"true" cty:"commit" hcl:"commit"` ContainerDir *string `mapstructure:"container_dir" required:"false" cty:"container_dir" hcl:"container_dir"` Discard *bool `mapstructure:"discard" required:"true" cty:"discard" hcl:"discard"` + CapAdd []string `mapstructure:"cap_add" required:"false" cty:"cap_add" hcl:"cap_add"` + CapDrop []string `mapstructure:"cap_drop" required:"false" cty:"cap_drop" hcl:"cap_drop"` ExecUser *string `mapstructure:"exec_user" required:"false" cty:"exec_user" hcl:"exec_user"` ExportPath *string `mapstructure:"export_path" required:"true" cty:"export_path" hcl:"export_path"` Image *string `mapstructure:"image" required:"true" cty:"image" hcl:"image"` @@ -75,6 +77,7 @@ type FlatConfig struct { Pty *bool `cty:"pty" hcl:"pty"` Pull *bool `mapstructure:"pull" required:"false" cty:"pull" hcl:"pull"` RunCommand []string `mapstructure:"run_command" required:"false" cty:"run_command" hcl:"run_command"` + TmpFs []string `mapstructure:"tmpfs" required:"false" cty:"tmpfs" hcl:"tmpfs"` Volumes map[string]string `mapstructure:"volumes" required:"false" cty:"volumes" hcl:"volumes"` FixUploadOwner *bool `mapstructure:"fix_upload_owner" required:"false" cty:"fix_upload_owner" hcl:"fix_upload_owner"` WindowsContainer *bool `mapstructure:"windows_container" required:"false" cty:"windows_container" hcl:"windows_container"` @@ -159,6 +162,8 @@ func (*FlatConfig) HCL2Spec() map[string]hcldec.Spec { "commit": &hcldec.AttrSpec{Name: "commit", Type: cty.Bool, Required: false}, "container_dir": &hcldec.AttrSpec{Name: "container_dir", Type: cty.String, Required: false}, "discard": &hcldec.AttrSpec{Name: "discard", Type: cty.Bool, Required: false}, + "cap_add": &hcldec.AttrSpec{Name: "cap_add", Type: cty.List(cty.String), Required: false}, + "cap_drop": &hcldec.AttrSpec{Name: "cap_drop", Type: cty.List(cty.String), Required: false}, "exec_user": &hcldec.AttrSpec{Name: "exec_user", Type: cty.String, Required: false}, "export_path": &hcldec.AttrSpec{Name: "export_path", Type: cty.String, Required: false}, "image": &hcldec.AttrSpec{Name: "image", Type: cty.String, Required: false}, @@ -167,6 +172,7 @@ func (*FlatConfig) HCL2Spec() map[string]hcldec.Spec { "pty": &hcldec.AttrSpec{Name: "pty", Type: cty.Bool, Required: false}, "pull": &hcldec.AttrSpec{Name: "pull", Type: cty.Bool, Required: false}, "run_command": &hcldec.AttrSpec{Name: "run_command", Type: cty.List(cty.String), Required: false}, + "tmpfs": &hcldec.AttrSpec{Name: "tmpfs", Type: cty.List(cty.String), Required: false}, "volumes": &hcldec.AttrSpec{Name: "volumes", Type: cty.Map(cty.String), Required: false}, "fix_upload_owner": &hcldec.AttrSpec{Name: "fix_upload_owner", Type: cty.Bool, Required: false}, "windows_container": &hcldec.AttrSpec{Name: "windows_container", Type: cty.Bool, Required: false}, diff --git a/builder/docker/driver.go b/builder/docker/driver.go index 73bf5e1a8..6ab9bd378 100644 --- a/builder/docker/driver.go +++ b/builder/docker/driver.go @@ -66,7 +66,10 @@ type Driver interface { type ContainerConfig struct { Image string RunCommand []string + CapAdd []string + CapDrop []string Volumes map[string]string + TmpFs []string Privileged bool } diff --git a/builder/docker/driver_docker.go b/builder/docker/driver_docker.go index c6c01de5c..c30b5473b 100644 --- a/builder/docker/driver_docker.go +++ b/builder/docker/driver_docker.go @@ -265,9 +265,18 @@ func (d *DockerDriver) StartContainer(config *ContainerConfig) (string, error) { // Args that we're going to pass to Docker args := []string{"run"} + for _, v := range config.CapAdd { + args = append(args, "--cap-add", v) + } + for _, v := range config.CapDrop { + args = append(args, "--cap-drop", v) + } if config.Privileged { args = append(args, "--privileged") } + for _, v := range config.TmpFs { + args = append(args, "--tmpfs", v) + } for host, guest := range config.Volumes { args = append(args, "-v", fmt.Sprintf("%s:%s", host, guest)) } diff --git a/builder/docker/step_run.go b/builder/docker/step_run.go index b91461ff0..cce06a787 100644 --- a/builder/docker/step_run.go +++ b/builder/docker/step_run.go @@ -25,7 +25,10 @@ func (s *StepRun) Run(ctx context.Context, state multistep.StateBag) multistep.S runConfig := ContainerConfig{ Image: config.Image, RunCommand: config.RunCommand, + TmpFs: config.TmpFs, Volumes: make(map[string]string), + CapAdd: config.CapAdd, + CapDrop: config.CapDrop, Privileged: config.Privileged, } diff --git a/website/pages/partials/builder/docker/Config-not-required.mdx b/website/pages/partials/builder/docker/Config-not-required.mdx index fc152f142..173de0e12 100644 --- a/website/pages/partials/builder/docker/Config-not-required.mdx +++ b/website/pages/partials/builder/docker/Config-not-required.mdx @@ -10,6 +10,10 @@ for work [file provisioner](/docs/provisioners/file). This defaults to c:/packer-files on windows and /packer-files on other systems. +- `cap_add` ([]string) - An array of additional Linux capabilities to grant to the container. + +- `cap_drop` ([]string) - An array of Linux capabilities to drop from the container. + - `exec_user` (string) - Username (UID) to run remote commands with. You can also set the group name/ID if you want: (UID or UID:GID). You may need this if you get permission errors trying to run the shell or other provisioners. @@ -34,6 +38,8 @@ docker image embeds a binary intended to be run often, you should consider changing the default entrypoint to point to it. +- `tmpfs` ([]string) - An array of additional tmpfs volumes to mount into this container. + - `volumes` (map[string]string) - A mapping of additional volumes to mount into this container. The key of the object is the host path, the value is the container path.