Add support for privileged container

Author: pmarino90

.formatter.exs

@@ -9,7 +9,8 @@ locals_without_parens = [
   env: 2,
   expose_port: 2,
   proxy: 1,
-  publish_on_domain: 2
+  publish_on_domain: 2,
+  privileged?: 1
 ]
 
 [

lib/makina/dsl/app.ex

@@ -215,4 +215,13 @@ defmodule Makina.DSL.App do
       end
     end
   end
+
+  defmacro privileged?(flag) when is_boolean(flag) do
+    quote do
+      @current_application Application.set_privileged(
+                             @current_application,
+                             unquote(flag)
+                           )
+    end
+  end
 end

lib/makina/infrastructure/docker.ex

@@ -14,6 +14,7 @@ defmodule Makina.Infrastructure.Docker do
   def run(%Server{} = server, %Application{} = app) do
     docker(server, "run", [
       "-d",
+      privileged?(app),
       "--restart",
       "unless-stopped",
       name(app),
@@ -132,6 +133,14 @@ defmodule Makina.Infrastructure.Docker do
     ["--name", app_name(app)]
   end
 
+  defp privileged?(%Application{privileged?: true}) do
+    ["--privileged"]
+  end
+
+  defp privileged?(%Application{privileged?: false}) do
+    []
+  end
+
   defp volumes(%Application{} = app) do
     app.volumes
     |> Enum.flat_map(fn v ->

lib/makina/models/application.ex

@@ -25,14 +25,14 @@ defmodule Makina.Models.Application do
   are subject to changes and should never be relied on.
   These are:
   * `:__hash__` which is the hash of all properties (except the private ones)
-  * `:__docker__` specific internal configurations used for docker that are not (yet)
+  * `:__docker__` specific internal configurations used for docker that are not (yet) public
   * `:__scope__` collects nesting levels in the makina file in order to reliably distinguish apps
   exposed to the DSL.
   """
 
   alias Makina.Models.Internal
 
-  @hashable_keys ~w[name docker_image docker_registry dockerfile env_vars volumes exposed_ports domains load_balancing_port]a
+  @hashable_keys ~w[name docker_image docker_registry dockerfile env_vars volumes exposed_ports domains load_balancing_port privileged?]a
 
   @derive {JSON.Encoder, []}
   defstruct __hash__: nil,
@@ -50,7 +50,8 @@ defmodule Makina.Models.Application do
             env_vars: [],
             exposed_ports: [],
             domains: [],
-            load_balancing_port: nil
+            load_balancing_port: nil,
+            privileged?: false
 
   def new(opts) do
     app = struct(__MODULE__, opts)
@@ -167,10 +168,16 @@ defmodule Makina.Models.Application do
     not (is_nil(docker_registry.user) and is_nil(docker_registry.password))
   end
 
-  def set_private(%__MODULE{} = app, key, value) do
+  def set_private(%__MODULE__{} = app, key, value) do
     app |> Map.put(key, value)
   end
 
+  def set_privileged(%__MODULE__{} = app, flag) do
+    app = %__MODULE__{app | privileged?: flag}
+
+    set_private(app, :__hash__, hash(app))
+  end
+
   defp hash(%__MODULE__{} = app) do
     keys = @hashable_keys |> Enum.sort()
 

mix.exs

@@ -4,7 +4,7 @@ defmodule Makina.MixProject do
   def project do
     [
       app: :makina,
-      version: "0.1.22",
+      version: "0.2.0",
       elixir: "~> 1.18",
       start_permanent: Mix.env() == :prod,
       deps: deps(),

test/makina/dsl_test.exs

@@ -61,6 +61,24 @@ defmodule Makina.DSLTest do
       assert app.docker_image[:tag] == "tag"
     end
 
+    test "allow configuring a container as priviledged" do
+      import DSL
+
+      term =
+        makina "app-test-allow-docker-privileged" do
+          app name: "test" do
+            privileged? true
+          end
+        end
+
+      module = elem(term, 1)
+      context = module.collect_context()
+
+      app = List.first(context.applications)
+
+      assert app.privileged? == true
+    end
+
     test "allow volumes to be specified" do
       import DSL
 

test/makina/infrastructure/docker_test.exs

@@ -151,6 +151,22 @@ defmodule Makina.Infrastructure.DockerTest do
       assert cmd.cmd ==
                "docker run -d --restart unless-stopped --name foo --label org.makina.app.hash=#{app.__hash__} --label traefik.enable=true --label traefik.http.middlewares.foo.compress=true --label traefik.http.routers.foo.rule=\"Host(\\`example.com\\`)\" --label traefik.http.routers.foo.tls.certresolver=letsencrypt --label traefik.http.services.foo.loadBalancer.server.port=80 --network makina-web-net nginx:1.16"
     end
+
+    test "sets container as priviledged if needed" do
+      server =
+        Server.new(host: "example.com")
+        |> Server.put_private(:conn_ref, self())
+
+      app =
+        Application.new(name: "foo")
+        |> Application.set_docker_image(name: "nginx", tag: "1.16")
+        |> Application.set_privileged(true)
+
+      cmd = Docker.run(server, app)
+
+      assert cmd.cmd ==
+               "docker run -d --privileged --restart unless-stopped --name foo --label org.makina.app.hash=#{app.__hash__} nginx:1.16"
+    end
   end
 
   describe "stop/2" do

test/makina/models/application_test.exs

@@ -171,6 +171,28 @@ defmodule Makina.Models.ApplicationTest do
     end
   end
 
+  describe "set_privileged/2" do
+    test "defaults to false unless set" do
+      params = [name: "foo"]
+
+      app = Application.new(params)
+
+      assert app.privileged? == false
+    end
+
+    test "sets if the applications should run as priviledged" do
+      params = [name: "foo"]
+
+      app = Application.new(params)
+      init_hash = app.__hash__
+
+      app = app |> Application.set_privileged(true)
+
+      assert app.privileged? == true
+      assert app.__hash__ != init_hash
+    end
+  end
+
   describe "set_private/3" do
     test "sets private fields" do
       params = [name: "foo"]