[docker] Add support for setting CgroupnsMode
This is required to support Debian Bullseye (11) - need to set nova-libvirt to use 'host' CgroupnsMode. Change-Id: I40213d4092fa325bcf37bb1fb4437ab125fe328b
This commit is contained in:
parent
bb56861cc5
commit
95520df094
@ -27,6 +27,8 @@ import traceback
|
||||
|
||||
import docker
|
||||
|
||||
from distutils.version import StrictVersion
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
|
||||
DOCUMENTATION = '''
|
||||
@ -149,6 +151,16 @@ options:
|
||||
default: None
|
||||
choices:
|
||||
- host
|
||||
cgroupns_mode:
|
||||
description:
|
||||
- Set docker cgroups namespace (default depends on Docker config)
|
||||
- Supported only with Docker 20.10 (Docker API 1.41) and later
|
||||
required: False
|
||||
type: str
|
||||
default: None
|
||||
choices:
|
||||
- private
|
||||
- host
|
||||
privileged:
|
||||
description:
|
||||
- Set the container to privileged
|
||||
@ -275,6 +287,9 @@ class DockerWorker(object):
|
||||
|
||||
self.dc = get_docker_client()(**options)
|
||||
|
||||
self._cgroupns_mode_supported = (
|
||||
StrictVersion(self.dc._version) >= StrictVersion('1.41'))
|
||||
|
||||
def generate_tls(self):
|
||||
tls = {'verify': self.params.get('tls_verify')}
|
||||
tls_cert = self.params.get('tls_cert'),
|
||||
@ -347,6 +362,7 @@ class DockerWorker(object):
|
||||
self.compare_labels(container_info) or
|
||||
self.compare_privileged(container_info) or
|
||||
self.compare_pid_mode(container_info) or
|
||||
self.compare_cgroupns_mode(container_info) or
|
||||
self.compare_tmpfs(container_info) or
|
||||
self.compare_volumes(container_info) or
|
||||
self.compare_volumes_from(container_info) or
|
||||
@ -402,6 +418,21 @@ class DockerWorker(object):
|
||||
if new_pid_mode != current_pid_mode:
|
||||
return True
|
||||
|
||||
def compare_cgroupns_mode(self, container_info):
|
||||
if not self._cgroupns_mode_supported:
|
||||
return False
|
||||
new_cgroupns_mode = self.params.get('cgroupns_mode')
|
||||
if new_cgroupns_mode is None:
|
||||
# means we don't care what it is
|
||||
return False
|
||||
current_cgroupns_mode = (container_info['HostConfig']
|
||||
.get('CgroupnsMode'))
|
||||
if current_cgroupns_mode == '':
|
||||
# means the container was created on Docker pre-20.10
|
||||
# it behaves like 'host'
|
||||
current_cgroupns_mode = 'host'
|
||||
return new_cgroupns_mode != current_cgroupns_mode
|
||||
|
||||
def compare_privileged(self, container_info):
|
||||
new_privileged = self.params.get('privileged')
|
||||
current_privileged = container_info['HostConfig']['Privileged']
|
||||
@ -760,7 +791,16 @@ class DockerWorker(object):
|
||||
if binds:
|
||||
options['binds'] = binds
|
||||
|
||||
return self.dc.create_host_config(**options)
|
||||
host_config = self.dc.create_host_config(**options)
|
||||
|
||||
if self._cgroupns_mode_supported:
|
||||
# NOTE(yoctozepto): python-docker does not support CgroupnsMode
|
||||
# natively so we stuff it in manually.
|
||||
cgroupns_mode = self.params.get('cgroupns_mode')
|
||||
if cgroupns_mode is not None:
|
||||
host_config['CgroupnsMode'] = cgroupns_mode
|
||||
|
||||
return host_config
|
||||
|
||||
def _inject_env_var(self, environment_info):
|
||||
newenv = {
|
||||
@ -1074,6 +1114,8 @@ def generate_module():
|
||||
cap_add=dict(required=False, type='list', default=list()),
|
||||
security_opt=dict(required=False, type='list', default=list()),
|
||||
pid_mode=dict(required=False, type='str', choices=['host', '']),
|
||||
cgroupns_mode=dict(required=False, type='str',
|
||||
choices=['private', 'host']),
|
||||
privileged=dict(required=False, type='bool', default=False),
|
||||
graceful_timeout=dict(required=False, type='int', default=10),
|
||||
remove_on_exit=dict(required=False, type='bool', default=True),
|
||||
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Adds support in ``kolla_docker`` module to set ``CgroupnsMode`` for Docker
|
||||
containers (via ``cgroupns_mode`` module param). Requires Docker 20.10.
|
||||
Note that pre-20.10 all containers behave as if they were run with mode
|
||||
``host``.
|
@ -71,6 +71,8 @@ class ModuleArgsTest(base.BaseTestCase):
|
||||
cap_add=dict(required=False, type='list', default=list()),
|
||||
security_opt=dict(required=False, type='list', default=list()),
|
||||
pid_mode=dict(required=False, type='str', choices=['host', '']),
|
||||
cgroupns_mode=dict(required=False, type='str',
|
||||
choices=['private', 'host']),
|
||||
privileged=dict(required=False, type='bool', default=False),
|
||||
graceful_timeout=dict(required=False, type='int', default=10),
|
||||
remove_on_exit=dict(required=False, type='bool', default=True),
|
||||
@ -204,10 +206,11 @@ FAKE_DATA = {
|
||||
}
|
||||
|
||||
|
||||
@mock.patch("docker.APIClient")
|
||||
def get_DockerWorker(mod_param, mock_dclient):
|
||||
def get_DockerWorker(mod_param, docker_api_version='1.40'):
|
||||
module = mock.MagicMock()
|
||||
module.params = mod_param
|
||||
with mock.patch("docker.APIClient") as MockedDockerClientClass:
|
||||
MockedDockerClientClass.return_value._version = docker_api_version
|
||||
dw = kd.DockerWorker(module)
|
||||
return dw
|
||||
|
||||
@ -248,6 +251,15 @@ class TestMainModule(base.BaseTestCase):
|
||||
result=False,
|
||||
some_key="some_value")
|
||||
|
||||
def test_sets_cgroupns_mode_supported_false(self):
|
||||
self.dw = get_DockerWorker(self.fake_data['params'])
|
||||
self.assertFalse(self.dw._cgroupns_mode_supported)
|
||||
|
||||
def test_sets_cgroupns_mode_supported_true(self):
|
||||
self.dw = get_DockerWorker(self.fake_data['params'],
|
||||
docker_api_version='1.41')
|
||||
self.assertTrue(self.dw._cgroupns_mode_supported)
|
||||
|
||||
|
||||
class TestContainer(base.BaseTestCase):
|
||||
|
||||
@ -976,6 +988,40 @@ class TestAttrComp(base.BaseTestCase):
|
||||
self.dw = get_DockerWorker({'pid_mode': 'host2'})
|
||||
self.assertTrue(self.dw.compare_pid_mode(container_info))
|
||||
|
||||
def test_compare_cgroupns_mode_neg(self):
|
||||
container_info = {'HostConfig': dict(CgroupnsMode='host')}
|
||||
self.dw = get_DockerWorker({'cgroupns_mode': 'host'},
|
||||
docker_api_version='1.41')
|
||||
self.assertFalse(self.dw.compare_cgroupns_mode(container_info))
|
||||
|
||||
def test_compare_cgroupns_mode_neg_backward_compat(self):
|
||||
container_info = {'HostConfig': dict(CgroupnsMode='')}
|
||||
self.dw = get_DockerWorker({'cgroupns_mode': 'host'},
|
||||
docker_api_version='1.41')
|
||||
self.assertFalse(self.dw.compare_cgroupns_mode(container_info))
|
||||
|
||||
def test_compare_cgroupns_mode_ignore(self):
|
||||
container_info = {'HostConfig': dict(CgroupnsMode='private')}
|
||||
self.dw = get_DockerWorker({}, docker_api_version='1.41')
|
||||
self.assertFalse(self.dw.compare_cgroupns_mode(container_info))
|
||||
|
||||
def test_compare_cgroupns_mode_pos(self):
|
||||
container_info = {'HostConfig': dict(CgroupnsMode='private')}
|
||||
self.dw = get_DockerWorker({'cgroupns_mode': 'host'},
|
||||
docker_api_version='1.41')
|
||||
self.assertTrue(self.dw.compare_cgroupns_mode(container_info))
|
||||
|
||||
def test_compare_cgroupns_mode_pos_backward_compat(self):
|
||||
container_info = {'HostConfig': dict(CgroupnsMode='')}
|
||||
self.dw = get_DockerWorker({'cgroupns_mode': 'private'},
|
||||
docker_api_version='1.41')
|
||||
self.assertTrue(self.dw.compare_cgroupns_mode(container_info))
|
||||
|
||||
def test_compare_cgroupns_mode_unsupported(self):
|
||||
container_info = {'HostConfig': dict()}
|
||||
self.dw = get_DockerWorker({'cgroupns_mode': 'host'})
|
||||
self.assertFalse(self.dw.compare_cgroupns_mode(container_info))
|
||||
|
||||
def test_compare_privileged_neg(self):
|
||||
container_info = {'HostConfig': dict(Privileged=True)}
|
||||
self.dw = get_DockerWorker({'privileged': True})
|
||||
|
Loading…
Reference in New Issue
Block a user