diff --git a/contrib/heat_docker/heat_docker/resources/docker_container.py b/contrib/heat_docker/heat_docker/resources/docker_container.py index 5aa24f278..55da254d7 100644 --- a/contrib/heat_docker/heat_docker/resources/docker_container.py +++ b/contrib/heat_docker/heat_docker/resources/docker_container.py @@ -31,7 +31,9 @@ from heat.engine import support LOG = logging.getLogger(__name__) DOCKER_INSTALLED = False -MIN_API_VERSION_MAP = {'read_only': '1.17', 'cpu_shares': '1.8'} +MIN_API_VERSION_MAP = {'read_only': '1.17', 'cpu_shares': '1.8', + 'devices': '1.14'} +DEVICE_PATH_REGEX = r"^/dev/[/_\-a-zA-Z0-9]+$" # conditionally import so tests can work without having the dependency # satisfied try: @@ -47,12 +49,13 @@ class DockerContainer(resource.Resource): DOCKER_ENDPOINT, HOSTNAME, USER, MEMORY, PORT_SPECS, PRIVILEGED, TTY, OPEN_STDIN, STDIN_ONCE, ENV, CMD, DNS, IMAGE, VOLUMES, VOLUMES_FROM, PORT_BINDINGS, LINKS, NAME, - RESTART_POLICY, CAP_ADD, CAP_DROP, READ_ONLY, CPU_SHARES, + RESTART_POLICY, CAP_ADD, CAP_DROP, READ_ONLY, CPU_SHARES, DEVICES, ) = ( 'docker_endpoint', 'hostname', 'user', 'memory', 'port_specs', 'privileged', 'tty', 'open_stdin', 'stdin_once', 'env', 'cmd', 'dns', 'image', 'volumes', 'volumes_from', 'port_bindings', 'links', 'name', 'restart_policy', 'cap_add', 'cap_drop', 'read_only', 'cpu_shares', + 'devices' ) ATTRIBUTES = ( @@ -71,6 +74,12 @@ class DockerContainer(resource.Resource): 'Name', 'MaximumRetryCount', ) + _DEVICES_KEYS = ( + PATH_ON_HOST, PATH_IN_CONTAINER, PERMISSIONS + ) = ( + 'path_on_host', 'path_in_container', 'permissions' + ) + _CAPABILITIES = ['SETPCAP', 'SYS_MODULE', 'SYS_RAWIO', 'SYS_PACCT', 'SYS_ADMIN', 'SYS_NICE', 'SYS_RESOURCE', 'SYS_TIME', 'SYS_TTY_CONFIG', 'MKNOD', 'AUDIT_WRITE', @@ -234,7 +243,48 @@ class DockerContainer(resource.Resource): MIN_API_VERSION_MAP['cpu_shares'], default=0, support_status=support.SupportStatus(version='2015.2'), - ) + ), + DEVICES: properties.Schema( + properties.Schema.LIST, + _('Device mappings (only supported for API version >= %s).') % + MIN_API_VERSION_MAP['devices'], + schema=properties.Schema( + properties.Schema.MAP, + schema={ + PATH_ON_HOST: properties.Schema( + properties.Schema.STRING, + _('The device path on the host.'), + constraints=[ + constraints.Length(max=255), + constraints.AllowedPattern(DEVICE_PATH_REGEX), + ], + required=True + ), + PATH_IN_CONTAINER: properties.Schema( + properties.Schema.STRING, + _('The device path of the container' + ' mappings to the host.'), + constraints=[ + constraints.Length(max=255), + constraints.AllowedPattern(DEVICE_PATH_REGEX), + ], + ), + PERMISSIONS: properties.Schema( + properties.Schema.STRING, + _('The permissions of the container to' + ' read/write/create the devices.'), + constraints=[ + constraints.AllowedValues(['r', 'w', 'm', + 'rw', 'rm', 'wm', + 'rwm']), + ], + default='rwm' + ) + } + ), + default=[], + support_status=support.SupportStatus(version='2015.2'), + ), } attributes_schema = { @@ -380,10 +430,29 @@ class DockerContainer(resource.Resource): start_args['cap_drop'] = self.properties[self.CAP_DROP] if self.properties[self.READ_ONLY]: start_args[self.READ_ONLY] = True + if (self.properties[self.DEVICES] and + not self.properties[self.PRIVILEGED]): + start_args['devices'] = self._get_mapping_devices( + self.properties[self.DEVICES]) client.start(container_id, **start_args) return container_id + def _get_mapping_devices(self, devices): + actual_devices = [] + for device in devices: + if device[self.PATH_IN_CONTAINER]: + actual_devices.append(':'.join( + [device[self.PATH_ON_HOST], + device[self.PATH_IN_CONTAINER], + device[self.PERMISSIONS]])) + else: + actual_devices.append(':'.join( + [device[self.PATH_ON_HOST], + device[self.PATH_ON_HOST], + device[self.PERMISSIONS]])) + return actual_devices + def _get_container_status(self, container_id): client = self.get_client() info = client.inspect_container(container_id) diff --git a/contrib/heat_docker/heat_docker/tests/test_docker_container.py b/contrib/heat_docker/heat_docker/tests/test_docker_container.py index cf207dc57..729f0cdec 100644 --- a/contrib/heat_docker/heat_docker/tests/test_docker_container.py +++ b/contrib/heat_docker/heat_docker/tests/test_docker_container.py @@ -360,3 +360,75 @@ class DockerContainerTest(common.HeatTestCase): def test_create_with_cpu_shares_for_low_api_version(self): self.arg_for_low_api_version('cpu_shares', 512, '1.7') + + def test_start_with_mapping_devices(self): + t = template_format.parse(template) + stack = utils.parse_stack(t) + definition = stack.t.resource_definitions(stack)['Blog'] + definition['Properties']['devices'] = ( + [{'path_on_host': '/dev/sda', + 'path_in_container': '/dev/xvdc', + 'permissions': 'r'}, + {'path_on_host': '/dev/mapper/a_bc-d', + 'path_in_container': '/dev/xvdd', + 'permissions': 'rw'}]) + my_resource = docker_container.DockerContainer( + 'Blog', definition, stack) + get_client_mock = self.patchobject(my_resource, 'get_client') + get_client_mock.return_value = fakeclient.FakeDockerClient() + self.assertIsNone(my_resource.validate()) + scheduler.TaskRunner(my_resource.create)() + self.assertEqual((my_resource.CREATE, my_resource.COMPLETE), + my_resource.state) + client = my_resource.get_client() + self.assertEqual(['samalba/wordpress'], client.pulled_images) + self.assertEqual(['/dev/sda:/dev/xvdc:r', + '/dev/mapper/a_bc-d:/dev/xvdd:rw'], + client.container_start[0]['devices']) + + def test_start_with_mapping_devices_also_with_privileged(self): + t = template_format.parse(template) + stack = utils.parse_stack(t) + definition = stack.t.resource_definitions(stack)['Blog'] + definition['Properties']['devices'] = ( + [{'path_on_host': '/dev/sdb', + 'path_in_container': '/dev/xvdc', + 'permissions': 'r'}]) + definition['Properties']['privileged'] = True + my_resource = docker_container.DockerContainer( + 'Blog', definition, stack) + get_client_mock = self.patchobject(my_resource, 'get_client') + get_client_mock.return_value = fakeclient.FakeDockerClient() + self.assertIsNone(my_resource.validate()) + scheduler.TaskRunner(my_resource.create)() + self.assertEqual((my_resource.CREATE, my_resource.COMPLETE), + my_resource.state) + client = my_resource.get_client() + self.assertEqual(['samalba/wordpress'], client.pulled_images) + self.assertNotIn('devices', client.container_start[0]) + + def test_start_with_mapping_devices_for_low_api_version(self): + value = ([{'path_on_host': '/dev/sda', + 'path_in_container': '/dev/xvdc', + 'permissions': 'rwm'}]) + self.arg_for_low_api_version('devices', value, '1.13') + + def test_start_with_mapping_devices_not_set_path_in_container(self): + t = template_format.parse(template) + stack = utils.parse_stack(t) + definition = stack.t.resource_definitions(stack)['Blog'] + definition['Properties']['devices'] = ( + [{'path_on_host': '/dev/sda', + 'permissions': 'rwm'}]) + my_resource = docker_container.DockerContainer( + 'Blog', definition, stack) + get_client_mock = self.patchobject(my_resource, 'get_client') + get_client_mock.return_value = fakeclient.FakeDockerClient() + self.assertIsNone(my_resource.validate()) + scheduler.TaskRunner(my_resource.create)() + self.assertEqual((my_resource.CREATE, my_resource.COMPLETE), + my_resource.state) + client = my_resource.get_client() + self.assertEqual(['samalba/wordpress'], client.pulled_images) + self.assertEqual(['/dev/sda:/dev/sda:rwm'], + client.container_start[0]['devices'])