From 00540a597c45a15c3d2993dd47fced10b57f4ae4 Mon Sep 17 00:00:00 2001
From: Maxim Kolomeychenko <maxim@supervise.ly>
Date: Mon, 13 Nov 2023 13:03:55 +0000
Subject: [PATCH] done, not tested

---
 agent/worker/constants.py       | 13 +++++++++++++
 agent/worker/task_dockerized.py |  1 +
 2 files changed, 14 insertions(+)

diff --git a/agent/worker/constants.py b/agent/worker/constants.py
index 8c2fdf3..4ed4b5c 100644
--- a/agent/worker/constants.py
+++ b/agent/worker/constants.py
@@ -41,6 +41,9 @@
 _MEM_LIMIT = "MEM_LIMIT"
 _SHM_SIZE = "SHM_SIZE"
 
+# security settings (only for custom environments)
+_SECURITY_OPT = "SECURITY_OPT"
+
 _PULL_POLICY = "PULL_POLICY"
 
 _GIT_LOGIN = "GIT_LOGIN"
@@ -111,6 +114,7 @@
     _AGENT_FILES_IN_APP_CONTAINER: "/agent-storage",
     _AUTO_CLEAN_INT_RANGE_DAYS: 7,
     _REQUESTS_CA_BUNDLE_DIR_CONTAINER: "/sly_certs",
+    _SECURITY_OPT: None,
 }
 
 
@@ -513,6 +517,15 @@ def DEFAULT_APP_DOCKER_IMAGE():
     return read_optional_setting(_DEFAULT_APP_DOCKER_IMAGE)
 
 
+def SECURITY_OPT():
+    value = read_optional_setting(_SECURITY_OPT)
+    if value is not None:
+        value = list(filter(len, value.split(",")))
+        if len(value) > 0:
+            return value
+    return None
+
+
 def init_constants():
     sly.fs.mkdir(AGENT_LOG_DIR())
     sly.fs.mkdir(AGENT_TASKS_DIR())
diff --git a/agent/worker/task_dockerized.py b/agent/worker/task_dockerized.py
index 7d026cb..327d7a0 100644
--- a/agent/worker/task_dockerized.py
+++ b/agent/worker/task_dockerized.py
@@ -238,6 +238,7 @@ def spawn_container(self, add_envs=None, add_labels=None, entrypoint_func=None):
                 memswap_limit=constants.MEM_LIMIT(),
                 network=constants.DOCKER_NET(),
                 ipc_mode=ipc_mode,
+                security_opt=constants.SECURITY_OPT(),
             )
             self._container.reload()
             self.logger.debug(