From 325de0ec350c591f95a53bf8147f80ed8430f4cb Mon Sep 17 00:00:00 2001
From: Alex Dadgar <alex.dadgar@gmail.com>
Date: Fri, 6 Nov 2015 10:38:54 -0800
Subject: [PATCH] Docker privileged checks if host enabled it

---
 client/driver/docker.go                    | 11 ++++++++++-
 website/source/docs/drivers/docker.html.md |  6 +++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/client/driver/docker.go b/client/driver/docker.go
index 77f129fc6..a2d614a89 100644
--- a/client/driver/docker.go
+++ b/client/driver/docker.go
@@ -181,11 +181,20 @@ func (d *DockerDriver) createContainer(ctx *ExecContext, task *structs.Task) (do
 	d.logger.Printf("[DEBUG] driver.docker: binding directories %#v for %s", hostConfig.Binds, task.Config["image"])
 
 	//  set privileged mode
+	hostPrivileged, err := strconv.ParseBool(d.config.ReadDefault("docker.privileged.enabled", "false"))
+	if err != nil {
+		return c, fmt.Errorf("Unable to parse docker.privileged.enabled: %s", err)
+	}
+
 	if v, ok := task.Config["privileged"]; ok {
 		taskPrivileged, err := strconv.ParseBool(v)
 		if err != nil {
-			return c, fmt.Errorf("Unable to parse boolean value from task config option 'privileged': %s", err)
+			return c, fmt.Errorf("Unable to parse boolean value from task config option 'privileged': %v", err)
 		}
+		if taskPrivileged && !hostPrivileged {
+			return c, fmt.Errorf(`Unable to set privileged flag since "docker.privileged.enabled" is false`)
+		}
+
 		hostConfig.Privileged = taskPrivileged
 	}
 
diff --git a/website/source/docs/drivers/docker.html.md b/website/source/docs/drivers/docker.html.md
index c24a171af..dfa4c85a5 100644
--- a/website/source/docs/drivers/docker.html.md
+++ b/website/source/docs/drivers/docker.html.md
@@ -34,8 +34,8 @@ The `docker` driver supports the following configuration in the job specificatio
 
 * `privileged` - (optional) Privileged mode gives the container full access to 
    the host. Valid options are `"true"` and `"false"` (defaults to `"false"`).
-   In order to use privileged mode, a client with the option 
-   `docker.privileged.enabled = "true"` must be available.
+   Tasks with `privileged` set can only run on Nomad Agents with
+   `docker.privileged.enabled = "true"`.
 
 * `dns-servers` - (optional) A comma separated list of DNS servers for the container 
    to use (e.g. "8.8.8.8,8.8.4.4"). *Docker API v1.10 and above only*
@@ -143,7 +143,7 @@ The `docker` driver has the following configuration options:
 
 * `docker.privileged.enabled` Defaults to `false`. Changing this to `true` will
    allow containers to use "privileged" mode, which gives the containers full access
-   to the host
+   to the host.
 
 
 Note: When testing or using the `-dev` flag you can use `DOCKER_HOST`,