Add privileged property to resource_type for Concourse

This commit is contained in:
BoykoAlex
2017-11-26 01:44:39 -05:00
parent 088cfbe635
commit 616c4e4df5
2 changed files with 4 additions and 0 deletions

View File

@@ -379,6 +379,7 @@ public class PipelineYmlSchema implements YamlSchema {
addProp(resourceType, "name", resourceTypeNameDef).isPrimary(true);
addProp(resourceType, "type", t_resource_type_name).isRequired(true);
addProp(resourceType, "source", resourceSource);
addProp(resourceType, "privileged", t_boolean);
AbstractType group = f.ybean("Group");
addProp(group, "name", t_ne_string).isPrimary(true);

View File

@@ -0,0 +1,3 @@
*Optional*. *Default* `false`. If set to `true`, the resource's containers will be run with full capabilities, as determined by the Garden backend the task runs on. For Linux-based backends it typically determines whether or not the container will run in a separate user namespace, and whether the `root` user is "actual" `root` (if set to `true`) or a user namespaced `root` (if set to `false`, the default).
This is a gaping security hole; only configure it if the resource type needs it (which should be called out in its documentation). This is not up to the resource type to decide dynamically, so as to prevent privilege escalation via third-party resource type exploits.