[warden] Add privileged option to run/spawn

This adds an options has that may be passed to spawn. The initial
option allowed is the boolean "privileged," which, if supplied,
will cause the command to be run as root.

Change-Id: I7f90553e7e3092b17d9326bb4d339c52d0a55035

warden/README.md

@@ -225,7 +225,7 @@ the `null` value to completely disable the grace time.
 If specified, this setting overrides the default size of the container's
 scratch filesystem. The value is expected to be an integer number.
 
-### `spawn HANDLE SCRIPT`
+### `spawn HANDLE SCRIPT [OPTS]`
 
 Run the script `SCRIPT` in the container identified by `HANDLE`.
 
@@ -233,6 +233,13 @@ Returns a job identifier that can be used to reap its exit status at
 some point in the future. Also, the connection that issued the command
 may go away and reconnect later while still being able to reap the job.
 
+The optional `OPTS` parameter is a hash that specifies options modifying the
+command being run. The supported options are:
+
+#### `privileged`
+
+If true, this specifies that the script should be run as root.
+
 ### `link HANDLE JOB_ID`
 
 Reap the script identified by `JOB_ID`, running in the container

warden/lib/warden/container/base.rb

@@ -342,12 +342,12 @@ module Warden
         raise WardenError.new("not implemented")
       end
 
-      def spawn(script)
+      def spawn(script, opts = {})
         debug "entry"
 
         check_state_in(State::Active)
 
-        job = create_job(script)
+        job = create_job(script, opts)
         jobs[job.job_id.to_s] = job
 
         # Return job id to caller
@@ -379,10 +379,10 @@ module Warden
         debug "exit"
       end
 
-      def run(script)
+      def run(script, opts = {})
         debug "entry"
 
-        link(spawn(script))
+        link(spawn(script, opts))
 
       rescue => err
         warn "error: #{err.message}"

warden/lib/warden/container/insecure.rb

@@ -28,7 +28,7 @@ module Warden
         debug "insecure container destroyed"
       end
 
-      def create_job(script)
+      def create_job(script, opts = {})
         job = Job.new(self)
 
         child = DeferredChild.new(File.join(container_path, "run.sh"), :input => script)

warden/lib/warden/container/linux.rb

@@ -74,12 +74,16 @@ module Warden
         debug "container removed"
       end
 
-      def create_job(script)
+      def create_job(script, opts = {})
         job = Job.new(self)
 
+        user = opts["privileged"] ? "root" : "vcap"
+
         # -T: Never request a TTY
         # -F: Use configuration from <container_path>/ssh/ssh_config
-        args = ["-T", "-F", File.join(container_path, "ssh", "ssh_config"), "vcap@container"]
+        args = ["-T",
+                "-F", File.join(container_path, "ssh", "ssh_config"),
+                "#{user}@container"]
         args << { :input => script }
 
         child = DeferredChild.new("ssh", *args)

warden/lib/warden/server.rb

@@ -242,9 +242,14 @@ module Warden
       end
 
       def process_spawn(request)
-        request.require_arguments { |n| n == 3 }
+        request.require_arguments { |n| (n == 3) || (n == 4) }
         container = find_container(request[1])
-        container.spawn(request[2])
+
+        if (request.length == 4) && !request[3].kind_of?(Hash)
+          raise WardenError.new("Options must be a hash")
+        end
+
+        container.spawn(*request.slice(2, 2))
       end
 
       def process_link(request)
@@ -254,9 +259,14 @@ module Warden
       end
 
       def process_run(request)
-        request.require_arguments { |n| n == 3 }
+        request.require_arguments { |n| (n == 3) || (n == 4) }
         container = find_container(request[1])
-        container.run(request[2])
+
+        if (request.length == 4) && !request[3].kind_of?(Hash)
+          raise WardenError.new("Options must be a hash")
+        end
+
+        container.run(*request.slice(2, 2))
       end
 
       def process_net(request)

warden/spec/server_linux_spec.rb

@@ -205,4 +205,18 @@ describe "server implementing Linux containers", :platform => "linux", :needs_ro
       result[1].to_i.should be_within(8 * 1024).of(128 * 1024)
     end
   end
+
+  describe "run" do
+
+    include_context :server_linux
+
+    it "should run commands as root if the 'privileged' option is true" do
+      handle = client.create
+
+      result = client.run(handle, "id -u", { "privileged" => true })
+
+      result[0].should == 0
+      result[1].should == "0\n"
+    end
+  end
 end