Merge pull request #31715 from anusha-ragunathan/ipc-host

Add support in plugin config for accessing host ipc and pid namespace.

api/swagger.yaml

@@ -1448,11 +1448,17 @@ definitions:
           - WorkDir
           - Network
           - Linux
+          - PidHost
           - PropagatedMount
+          - IpcHost
           - Mounts
           - Env
           - Args
         properties:
+          DockerVersion:
+            description: "Docker Version used to create the plugin"
+            type: "string"
+            x-nullable: false
           Description:
             type: "string"
             x-nullable: false
@@ -1516,6 +1522,12 @@ definitions:
           PropagatedMount:
             type: "string"
             x-nullable: false
+          IpcHost:
+            type: "boolean"
+            x-nullable: false
+          PidHost:
+            type: "boolean"
+            x-nullable: false
           Mounts:
             type: "array"
             items:

api/types/plugin.go

@@ -42,6 +42,9 @@ type PluginConfig struct {
 	// Required: true
 	Description string `json:"Description"`
 
+	// Docker Version used to create the plugin
+	DockerVersion string `json:"DockerVersion,omitempty"`
+
 	// documentation
 	// Required: true
 	Documentation string `json:"Documentation"`
@@ -58,6 +61,10 @@ type PluginConfig struct {
 	// Required: true
 	Interface PluginConfigInterface `json:"Interface"`
 
+	// ipc host
+	// Required: true
+	IpcHost bool `json:"IpcHost"`
+
 	// linux
 	// Required: true
 	Linux PluginConfigLinux `json:"Linux"`
@@ -70,6 +77,10 @@ type PluginConfig struct {
 	// Required: true
 	Network PluginConfigNetwork `json:"Network"`
 
+	// pid host
+	// Required: true
+	PidHost bool `json:"PidHost"`
+
 	// propagated mount
 	// Required: true
 	PropagatedMount string `json:"PropagatedMount"`

docs/extend/config.md

@@ -115,6 +115,11 @@ Config provides the base accessible fields for working with V0 plugin format
 
 	  options of the mount.
 
+- **`ipchost`** *boolean*
+   Access to host ipc namespace.
+- **`pidhost`** *boolean*
+   Access to host pid namespace.
+
 - **`propagatedMount`** *string*
 
    path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins.

plugin/backend_linux.go

@@ -24,6 +24,7 @@ import (
 	"github.com/docker/docker/distribution"
 	progressutils "github.com/docker/docker/distribution/utils"
 	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/dockerversion"
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
 	"github.com/docker/docker/pkg/chrootarchive"
@@ -150,6 +151,20 @@ func computePrivileges(c types.PluginConfig) (types.PluginPrivileges, error) {
 			Value:       []string{c.Network.Type},
 		})
 	}
+	if c.IpcHost {
+		privileges = append(privileges, types.PluginPrivilege{
+			Name:        "host ipc namespace",
+			Description: "allow access to host ipc namespace",
+			Value:       []string{"true"},
+		})
+	}
+	if c.PidHost {
+		privileges = append(privileges, types.PluginPrivilege{
+			Name:        "host pid namespace",
+			Description: "allow access to host pid namespace",
+			Value:       []string{"true"},
+		})
+	}
 	for _, mount := range c.Mounts {
 		if mount.Source != nil {
 			privileges = append(privileges, types.PluginPrivilege{
@@ -744,6 +759,8 @@ func (pm *Manager) CreateFromContext(ctx context.Context, tarCtx io.ReadCloser,
 		DiffIds: []string{layerDigester.Digest().String()},
 	}
 
+	config.DockerVersion = dockerversion.Version
+
 	configBlob, err := pm.blobStore.New()
 	if err != nil {
 		return err

plugin/v2/plugin_linux.go

@@ -60,6 +60,13 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
 				Options:     []string{"rbind", "ro"},
 			})
 	}
+	if p.PluginObj.Config.PidHost {
+		oci.RemoveNamespace(&s, specs.NamespaceType("pid"))
+	}
+
+	if p.PluginObj.Config.IpcHost {
+		oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))
+	}
 
 	for _, mnt := range mounts {
 		m := specs.Mount{