From ba744855df44093892f8175f87e3abbc0893a9ee Mon Sep 17 00:00:00 2001
From: Vitaly Lopatkin <vitaly.lopatkin@gmail.com>
Date: Fri, 22 Jul 2016 16:52:44 +0600
Subject: [PATCH] privileged mode support for KubernetesPod and
 DockerStandaloneHost

Change-Id: I2155b27af1e59bf907d7ad03dedada98ef8ebb76
---
 DockerInterfacesLibrary/README.rst                         | 1 +
 .../package/Classes/DockerContainer.yaml                   | 7 ++++++-
 .../package/Classes/DockerStandaloneHost.yaml              | 3 ++-
 .../package/Resources/RunContainer.template                | 3 +++
 .../Resources/scripts/default_scripts/kube-apiserver       | 3 ++-
 .../package/Resources/scripts/default_scripts/kubelet      | 3 ++-
 .../package/Resources/scripts/environ/kube-config          | 2 +-
 .../KubernetesPod/package/Classes/KubernetesPod.yaml       | 2 ++
 8 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/DockerInterfacesLibrary/README.rst b/DockerInterfacesLibrary/README.rst
index ba965da..cb52d3f 100644
--- a/DockerInterfacesLibrary/README.rst
+++ b/DockerInterfacesLibrary/README.rst
@@ -90,6 +90,7 @@ It has the following properties:
   into Docker container. Keys are the paths within container and values are
   instances of DockerVolume.
 
+* `privileged`: a flag that forces running container in privileged mode.
 
 ApplicationPort
 ===============
diff --git a/DockerInterfacesLibrary/package/Classes/DockerContainer.yaml b/DockerInterfacesLibrary/package/Classes/DockerContainer.yaml
index 031dd6e..9982270 100644
--- a/DockerInterfacesLibrary/package/Classes/DockerContainer.yaml
+++ b/DockerInterfacesLibrary/package/Classes/DockerContainer.yaml
@@ -42,6 +42,10 @@ Properties:
       $.string().notNull(): $.class(DockerVolume).notNull()
     Default: {}
 
+  privileged:
+    Contract: $.bool().notNull()
+    Default: false
+
 Methods:
   getRepresentation:
     Body:
@@ -55,4 +59,5 @@ Methods:
           image: $.image
           env: env
           ports: $.ports.select($.getRepresentation())
-          volumes: $volumeRepresentations
\ No newline at end of file
+          volumes: $volumeRepresentations
+          privileged: $.privileged
diff --git a/DockerStandaloneHost/package/Classes/DockerStandaloneHost.yaml b/DockerStandaloneHost/package/Classes/DockerStandaloneHost.yaml
index 1a09475..0e97ab3 100644
--- a/DockerStandaloneHost/package/Classes/DockerStandaloneHost.yaml
+++ b/DockerStandaloneHost/package/Classes/DockerStandaloneHost.yaml
@@ -150,7 +150,8 @@ Methods:
             env => $container.env,
             portMap => $portBindings,
             volumeMap => $volumeMap,
-            commands => $container.commands
+            commands => $container.commands,
+            privileged => $container.privileged
           ))
       - $._removeApplicationEndpoints($container.name)
       - $privateIp: $.instance.agent.call($template, $resources)
diff --git a/DockerStandaloneHost/package/Resources/RunContainer.template b/DockerStandaloneHost/package/Resources/RunContainer.template
index 8a5d158..80f5752 100644
--- a/DockerStandaloneHost/package/Resources/RunContainer.template
+++ b/DockerStandaloneHost/package/Resources/RunContainer.template
@@ -21,6 +21,7 @@ Parameters:
   env: $env
   image: $image
   commands: $commands
+  privileged: $privileged
 
 Body: |
   options = ['-d', '--name ' + args.appName]
@@ -30,6 +31,8 @@ Body: |
     options.append("-v '{0}':'{1}'".format(host_dir, container_dir))
   for key, value in args.env.iteritems():
     options.append("-e '{0}'='{1}'".format(key, value))
+  if args.privileged:
+    options.append("--privileged")
   runDockerCommand('run {0} {1} {2}'.format(' '.join(options), args.image, ' '.join(args.commands)).rstrip())
 
   return runDockerCommand('inspect -f={{.NetworkSettings.IPAddress}} ' + args.appName).stdout
diff --git a/Kubernetes/KubernetesCluster/package/Resources/scripts/default_scripts/kube-apiserver b/Kubernetes/KubernetesCluster/package/Resources/scripts/default_scripts/kube-apiserver
index 8736d5f..3abf2e1 100644
--- a/Kubernetes/KubernetesCluster/package/Resources/scripts/default_scripts/kube-apiserver
+++ b/Kubernetes/KubernetesCluster/package/Resources/scripts/default_scripts/kube-apiserver
@@ -8,6 +8,7 @@ KUBE_APISERVER_OPTS="--address=0.0.0.0 \
   --port=8080 \
   --etcd_servers=http://127.0.0.1:4001 \
   --logtostderr=false \
-  --portal_net=11.1.0.0/16  --log_dir=/var/log/kubernetes"
+  --portal_net=11.1.0.0/16  --log_dir=/var/log/kubernetes \
+  --allow_privileged=true"
 
 # Add more environment settings used by kube-apiserver here
\ No newline at end of file
diff --git a/Kubernetes/KubernetesCluster/package/Resources/scripts/default_scripts/kubelet b/Kubernetes/KubernetesCluster/package/Resources/scripts/default_scripts/kubelet
index 4a126ac..92e1e13 100644
--- a/Kubernetes/KubernetesCluster/package/Resources/scripts/default_scripts/kubelet
+++ b/Kubernetes/KubernetesCluster/package/Resources/scripts/default_scripts/kubelet
@@ -9,6 +9,7 @@ KUBELET_OPTS="--address=%%IP%% \
   --hostname_override=%%IP%% \
   --api_servers=%%MASTER_IP%%:8080 \
   --logtostderr=false \
-  --log_dir=/var/log/kubernetes"
+  --log_dir=/var/log/kubernetes \
+  --allow_privileged=true"
 
 # Add more environment settings used by kube-scheduler here
\ No newline at end of file
diff --git a/Kubernetes/KubernetesCluster/package/Resources/scripts/environ/kube-config b/Kubernetes/KubernetesCluster/package/Resources/scripts/environ/kube-config
index 00543cf..0819c4f 100644
--- a/Kubernetes/KubernetesCluster/package/Resources/scripts/environ/kube-config
+++ b/Kubernetes/KubernetesCluster/package/Resources/scripts/environ/kube-config
@@ -16,7 +16,7 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 KUBE_LOG_LEVEL="--v=0"
 
 # Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
+KUBE_ALLOW_PRIV="--allow-privileged"
 
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://%%MASTER_IP%%:8080"
\ No newline at end of file
diff --git a/Kubernetes/KubernetesPod/package/Classes/KubernetesPod.yaml b/Kubernetes/KubernetesPod/package/Classes/KubernetesPod.yaml
index 2f2ecf6..06ab373 100644
--- a/Kubernetes/KubernetesPod/package/Classes/KubernetesPod.yaml
+++ b/Kubernetes/KubernetesPod/package/Classes/KubernetesPod.yaml
@@ -115,6 +115,8 @@ Methods:
               mountPath => $
             ))
           env: $container.env.keys().select(dict(name => $, value => $container.env.get($)))
+          securityContext:
+            privileged: $container.privileged
 
       - $newVolumes: $container.volumes.values().select(
           $this._buildVolumeEntry($container.name, $))