removed PRIVILIGED and ALLOWED_PUBLISH_PORTS_ALL config vars in favor of simple flags

Author: joernhees

CHANGELOG

@@ -13,6 +13,9 @@ Backwards incompatibilities:
 - Executor nvidia-docker now includes configurable limits to NV_GPU env var.
   Before the default was to always make all GPUs available (see new config
   options below).
+- PRIVILEGED dropped (use ARGS_AVAILABLE, but let me know how this is useful
+  with userdocker!)
+- ALLOWED_PUBLISH_PORTS_ALL dropped (use ARGS_AVAILABLE)
 
 New features:
 -------------

userdocker/config/default.py

@@ -66,8 +66,9 @@
     'version',
 ]
 
-# Arguments (more precisely simple flags) that you want to make available to the
-# user or enforce. Do not include args that are handled below (e.g. run -v)!
+# Simple arguments without options (flags):
+# Arguments (without options) that you want to enforce on the user:
+# Do not include args that are handled below (e.g. run -v)!
 # The following arguments will always be injected for the corresponding command:
 ARGS_ALWAYS = {
     'run': [
@@ -76,7 +77,9 @@
         '--rm',
     ],
 }
-# The following arguments are available to the user for the given command:
+# The following arguments (without options) are available to the user for the
+# given command.
+# Do not include args that are handled below (e.g. run -v)!
 # (aliases are supported as tuples below, but not in ARGS_ALWAYS)
 ARGS_AVAILABLE = {
     'attach': [
@@ -105,6 +108,8 @@
         ('-t', '--tty'),
         ('-i', '--interactive'),
         '--read-only',
+        # users can map all exposed container ports to random free host ports:
+        ('-P', '--publish-all'),
     ],
 }
 
@@ -153,18 +158,9 @@
 USER_IN_CONTAINER = True
 
 # The following allows to drop / grant capabilities of all containers.
-# By default we drop all and make the
+# By default we drop all
 CAPS_DROP = ['ALL']
 CAPS_ADD = []
-PRIVILEGED = False
-
-# User ability to publish ports
-# The ALLOWED_PUBLISH_PORTS_ALL allows the user to use the -P flag, which
-# publishes all ports that are EXPOSEd in the container to random host ports
-# (non priv range).
-# Notice that by default such ports are world accessible, so in case you want to
-# protect them, make sure to have (a docker compatible) iptables in place.
-ALLOWED_PUBLISH_PORTS_ALL = True
 
 # Environment vars to set for the container:
 ENV_VARS = [

userdocker/subcommands/run.py

@@ -7,15 +7,13 @@
 
 from .. import __version__
 from ..config import ALLOWED_IMAGE_REGEXPS
-from ..config import ALLOWED_PUBLISH_PORTS_ALL
 from ..config import CAPS_ADD
 from ..config import CAPS_DROP
 from ..config import ENV_VARS
 from ..config import ENV_VARS_EXT
 from ..config import NV_ALLOWED_GPUS
 from ..config import NV_DEFAULT_GPU_COUNT_RESERVATION
 from ..config import NV_MAX_GPU_COUNT_RESERVATION
-from ..config import PRIVILEGED
 from ..config import PROBE_USED_MOUNTS
 from ..config import RUN_PULL
 from ..config import USER_IN_CONTAINER
@@ -52,13 +50,6 @@ def parser_run(parser):
             default=[],
         )
 
-    if ALLOWED_PUBLISH_PORTS_ALL:
-        sub_parser.add_argument(
-            "-P", "--publish-all",
-            help="Publish all exposed ports to random ports",
-            action="store_true",
-        )
-
     sub_parser.add_argument(
         "--entrypoint",
         help="Overwrite the default ENTRYPOINT of the image",
@@ -207,8 +198,6 @@ def exec_cmd_run(args):
     for mount in mounts:
         cmd += ["-v", mount]
 
-    if args.publish_all:
-        cmd += ["-P"]
 
     if args.executor == 'nvidia-docker':
         prepare_nvidia_docker_run(args)
@@ -230,8 +219,6 @@ def exec_cmd_run(args):
         cmd += ["--cap-drop=%s" % cap_drop]
     for cap_add in CAPS_ADD:
         cmd += ["--cap-add=%s" % cap_add]
-    if PRIVILEGED:
-        cmd += ["--privileged"]
 
     if args.workdir:
         cmd += ["-w", args.workdir]