privileged mode support for KubernetesPod and DockerStandaloneHost

Change-Id: I2155b27af1e59bf907d7ad03dedada98ef8ebb76

DockerInterfacesLibrary/README.rst

@@ -90,6 +90,7 @@ It has the following properties:
   into Docker container. Keys are the paths within container and values are
   instances of DockerVolume.
 
+* `privileged`: a flag that forces running container in privileged mode.
 
 ApplicationPort
 ===============

DockerInterfacesLibrary/package/Classes/DockerContainer.yaml

@@ -42,6 +42,10 @@ Properties:
       $.string().notNull(): $.class(DockerVolume).notNull()
     Default: {}
 
+  privileged:
+    Contract: $.bool().notNull()
+    Default: false
+
 Methods:
   getRepresentation:
     Body:
@@ -55,4 +59,5 @@ Methods:
           image: $.image
           env: env
           ports: $.ports.select($.getRepresentation())
-          volumes: $volumeRepresentations
+          volumes: $volumeRepresentations
+          privileged: $.privileged

DockerStandaloneHost/package/Classes/DockerStandaloneHost.yaml

@@ -150,7 +150,8 @@ Methods:
             env => $container.env,
             portMap => $portBindings,
             volumeMap => $volumeMap,
-            commands => $container.commands
+            commands => $container.commands,
+            privileged => $container.privileged
           ))
       - $._removeApplicationEndpoints($container.name)
       - $privateIp: $.instance.agent.call($template, $resources)

DockerStandaloneHost/package/Resources/RunContainer.template

@@ -21,6 +21,7 @@ Parameters:
   env: $env
   image: $image
   commands: $commands
+  privileged: $privileged
 
 Body: |
   options = ['-d', '--name ' + args.appName]
@@ -30,6 +31,8 @@ Body: |
     options.append("-v '{0}':'{1}'".format(host_dir, container_dir))
   for key, value in args.env.iteritems():
     options.append("-e '{0}'='{1}'".format(key, value))
+  if args.privileged:
+    options.append("--privileged")
   runDockerCommand('run {0} {1} {2}'.format(' '.join(options), args.image, ' '.join(args.commands)).rstrip())
 
   return runDockerCommand('inspect -f={{.NetworkSettings.IPAddress}} ' + args.appName).stdout

Kubernetes/KubernetesCluster/package/Resources/scripts/default_scripts/kube-apiserver

@@ -8,6 +8,7 @@ KUBE_APISERVER_OPTS="--address=0.0.0.0 \
   --port=8080 \
   --etcd_servers=http://127.0.0.1:4001 \
   --logtostderr=false \
-  --portal_net=11.1.0.0/16  --log_dir=/var/log/kubernetes"
+  --portal_net=11.1.0.0/16  --log_dir=/var/log/kubernetes \
+  --allow_privileged=true"
 
 # Add more environment settings used by kube-apiserver here

Kubernetes/KubernetesCluster/package/Resources/scripts/default_scripts/kubelet

@@ -9,6 +9,7 @@ KUBELET_OPTS="--address=%%IP%% \
   --hostname_override=%%IP%% \
   --api_servers=%%MASTER_IP%%:8080 \
   --logtostderr=false \
-  --log_dir=/var/log/kubernetes"
+  --log_dir=/var/log/kubernetes \
+  --allow_privileged=true"
 
 # Add more environment settings used by kube-scheduler here

Kubernetes/KubernetesCluster/package/Resources/scripts/environ/kube-config

@@ -16,7 +16,7 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 KUBE_LOG_LEVEL="--v=0"
 
 # Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
+KUBE_ALLOW_PRIV="--allow-privileged"
 
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://%%MASTER_IP%%:8080"

Kubernetes/KubernetesPod/package/Classes/KubernetesPod.yaml

@@ -115,6 +115,8 @@ Methods:
               mountPath => $
             ))
           env: $container.env.keys().select(dict(name => $, value => $container.env.get($)))
+          securityContext:
+            privileged: $container.privileged
 
       - $newVolumes: $container.volumes.values().select(
           $this._buildVolumeEntry($container.name, $))