introduce host_docker label to expose docker socket in containers

briceburg · briceburg · commit e1ee7c164038 · 2016-10-18T11:47:05.000-04:00
passes docker socket, group, and envars through to container
diff --git a/lib.d/v1-runtime.sh b/lib.d/v1-runtime.sh
@@ -18,6 +18,7 @@ v1-runtime(){
   #  org.dockerland.dex.docker_home=~             (user's actual home)
   #  org.dockerland.dex.docker_volumes=/etc/hosts:/etc/hosts:ro
   #  org.dockerland.dex.docker_workspace=/        (host root as /dex/workspace)
+  #  org.dockerland.dex.host_docker=rw            (expose host's docker socket and passthru docker vars)
   #  org.dockerland.dex.host_paths=rw             (rw mount host HOME and CWD)
   #  org.dockerland.dex.host_users=ro             (ro mount host /etc/passwd|group)
   #  org.dockerland.dex.window=yes                (applies window/X11 flags)
@@ -29,12 +30,13 @@ v1-runtime(){
   __docker_home=$DEX_IMAGE_NAME-$__tag
   __docker_workspace=$DEX_HOST_PWD
   __docker_volumes=
+  __host_docker=
   __host_paths="ro"
   __host_users=
   __window=
 
   # augment defaults with image meta
-  for label in api docker_devices docker_envars docker_flags docker_groups docker_home docker_workspace docker_volumes host_paths host_users window ; do
+  for label in api docker_devices docker_envars docker_flags docker_groups docker_home docker_workspace docker_volumes host_docker host_paths host_users window ; do
     # @TODO reduce this to a single docker inspect command
     val=$(__local_docker inspect --format "{{ index .Config.Labels \"org.dockerland.dex.$label\" }}" $__image)
     [ -z "$val" ] && continue
@@ -139,6 +141,15 @@ v1-runtime(){
     __docker_volumes+=" /etc/passwd:/etc/passwd:$__host_users /etc/group:/etc/group:$__host_users"
   esac
 
+  # map host docker socket and passthru docker vars
+  case $(echo "$__host_docker" | awk '{print tolower($0)}') in rw|ro)
+    docker_socket=/var/run/docker.sock
+    docker_group=$(if [[ "$OSTYPE" == darwin* ]] || [[ "$OSTYPE" == macos* ]]; then stat -f '%Dg' $docker_socket ; else stat -c '%g' $docker_socket ; fi)
+    __docker_volumes+=" $docker_socket:/var/run/docker.sock:$__host_docker $DOCKER_CERT_PATH $MACHINE_STORAGE_PATH"
+    __docker_flags+=" --group-add=$docker_group"
+    __docker_envars+=" DOCKER_* MACHINE_STORAGE_PATH"
+  esac
+
   # mount specicified devices (only if they exist)
   for path in $__docker_devices; do
     [ "${path:0:5}" = "/dev/" ] || path="/dev/$path"
diff --git a/tests/bats/06-runtime.bats b/tests/bats/06-runtime.bats
@@ -101,7 +101,6 @@ teardown(){
   [[ "$output" == *"TEST_B=test"* ]]
 }
 
-
 @test "runtime sets a unique home by default (DEX_HOME/homes/<image>-<tag>)" {
   rm -rf $DEX_HOME/homes/debian-latest
 
@@ -110,22 +109,6 @@ teardown(){
   [ -d $DEX_HOME/homes/debian-latest ]
 }
 
-@test "runtime ro-mounts host paths to coax common absolute path resolutions" {
-  cd $TMPDIR
-  $DEX run imgtest/debian ls $TMPDIR
-
-  run $DEX run imgtest/labels:disable-host_paths ls $TMPDIR
-  [ $status -eq 2 ]
-}
-
-@test "runtime respects ro-mounting of host users/groups" {
-  run $DEX run imgtest/debian whoami
-  [ $status -eq 1 ]
-
-  run $DEX run imgtest/labels:enable-host_users whoami
-  [ $status -eq 0 ]
-}
-
 @test "runtime respects docker_envars label" {
   # imgtest/labels image ::
   # LABEL org.dockerland.dex.docker_envars="BATS_TESTVAR"
@@ -145,7 +128,6 @@ teardown(){
   [ $status -eq 0 ]
 }
 
-
 @test "runtime expands ~ as real \$HOME in labels" {
   # imgtest/labels:home image ::
   # LABEL org.dockerland.dex.docker_home="~"
@@ -227,6 +209,40 @@ teardown(){
   [ $status -eq 1 ]
 }
 
+@test "runtime ro-mounts host paths to coax common absolute path resolutions" {
+  cd $TMPDIR
+  $DEX run imgtest/debian ls $TMPDIR
+
+  run $DEX run imgtest/labels:disable-host_paths ls $TMPDIR
+  [ $status -eq 2 ]
+}
+
+@test "runtime respects host_users label for ro-mounting of host users/groups" {
+  run $DEX run imgtest/debian whoami
+  [ $status -eq 1 ]
+
+  run $DEX run imgtest/labels:enable-host_users whoami
+  [ $status -eq 0 ]
+}
+
+@test "runtime respects host_docker label for passthrough of host docker socket and vars" {
+  # test if host docker is [NOT!] exposed by default
+  run $DEX run imgtest/debian ls -l /var/run/docker.sock
+  [ $status -eq 2 ]
+
+  run $DEX run imgtest/labels:enable-host_docker ls -l /var/run/docker.sock
+  [ $status -eq 0 ]
+
+  # test polling of host docker
+  run $DEX run imgtest/labels:enable-host_docker docker info
+  [ $status -eq 0 ]
+
+  # test DOCKER_ envar passthrough
+  run DOCKER_TEST="test" $DEX run imgtest/labels:enable-host_docker
+  [[ $output == *"DOCKER_TEST=test"* ]]
+}
+
+
 @test "runtime suppresses tty flags when container output is piped" {
   # imgtest/labels image ::
   # LABEL dockerland.dex.docker_flags="--tty -e TESTVAR=TEST"
diff --git a/tests/fixtures/dex-images/labels/Dockerfile-enable-host_docker b/tests/fixtures/dex-images/labels/Dockerfile-enable-host_docker
@@ -0,0 +1,18 @@
+FROM alpine:3.4
+
+RUN apk add --no-cache \
+  docker
+
+#
+# v1 dex-api
+#
+
+LABEL \
+  org.dockerland.dex.api="v1" \
+  org.dockerland.dex.host_docker=rw
+
+#
+# debian image
+#
+
+CMD echo "ALPINE_RELEASE=$(cat /etc/alpine-release)" ; printenv
