[carry 2663] Add capabilities support to stack/service commands#2687
[carry 2663] Add capabilities support to stack/service commands#2687cpuguy83 merged 4 commits intodocker:masterfrom
Conversation
thaJeztah
force-pushed
the
carry_service_caps
branch
3 times, most recently
from
23e9121 to
4410116
Compare
Codecov Report
@@ Coverage Diff @@
## master #2687 +/- ##
==========================================
+ Coverage 58.42% 58.54% +0.11%
==========================================
Files 295 296 +1
Lines 21201 21286 +85
==========================================
+ Hits 12387 12462 +75
- Misses 7906 7915 +9
- Partials 908 909 +1 |
|
Ok, so I'm a bit in doubt what would be more logical; when updating a service that had previous cap-add/cap-drops, should we do: A. Update both "previous" and "new" state at onceGiven the following service;
When updating the service, and applying
Downside of this is that there's no option to B. Update as a "tri-state" (for better words)Given the following service;
When updating the service, and applying
When updating the service a second time, applying
So upside is that it's possible to "reset" previous capabilities without adding new ones. Downside is that it requires multiple updates if that is the desired result (given, probably a rare condition) C. Introduce a special "RESET" valueGiven the following service;
When updating the service, and applying
When updating the service, and applying
D. Combine B + CApply the diff to the existing list of capabilities first, but also allow using |
thaJeztah
force-pushed
the
carry_service_caps
branch
2 times, most recently
from
31cd380 to
e336b77
Compare
This comment has been minimized.
This comment has been minimized.
thaJeztah
force-pushed
the
carry_service_caps
branch
4 times, most recently
from
ce622d6 to
d85589d
Compare
|
As to my comment above, I added two commits that implement B and C |
| NET_RAW | ||
| RESET | ||
| SETFCAP |
There was a problem hiding this comment.
I noticed that our completion scripts use the capabilities without the CAP_ prefix; I'm on the fence what we should use as "normalised" format: with, or without the CAP_. From a UX perspective, possibly without is more friendly (less to type, and less characters to type to use auto-completion)
@tiborvass @silvin-lubecki WDYT?
There was a problem hiding this comment.
Perhaps it doesn't make a big difference (as the values entered by the user will be normalised anyway, so the only difference will be in what's shown in docker service inspect. Looks like that's currently consistent with (e.g.) what's documented for docker plugin capabilities.
There was a problem hiding this comment.
I'm totally fine with values without the CAP_ 👍
There was a problem hiding this comment.
When completing signals, we offer both SIGXXX and XXX.
So for consistency, we could switch to supporting both variants here as well.
I'll create a PR for that.
thaJeztah
force-pushed
the
carry_service_caps
branch
from
d85589d to
10b529e
Compare
cli/command/service/update.go
Outdated
| // list of capabilities to "drop"). | ||
| // | ||
| // Capabilities are normalized, sorted, and duplicates are removed to prevent | ||
| // service tasks from being updated if no changes are made. If the a list has |
| spec: &swarm.ContainerSpec{ | ||
| CapabilityDrop: []string{"ALL", "CAP_MOUNT", "CAP_NET_ADMIN"}, | ||
| }, | ||
| expectedDrop: []string{"ALL"}, |
There was a problem hiding this comment.
nit: should we also test ALL in cap-add AND cap-drop?
| flagDrop: []string{}, | ||
| spec: &swarm.ContainerSpec{ | ||
| CapabilityDrop: []string{"CAP_NET_ADMIN"}, | ||
| }, |
There was a problem hiding this comment.
nit: maybe add explicit empty expectedDrop?
There was a problem hiding this comment.
Yeah, guess it makes it slightly more understandable; I'll add explicit expectedDrop / expectedAdd lines
cli/command/service/update_test.go
Outdated
| }, | ||
| { | ||
| name: "Reset capabilities, and update after", | ||
| flagAdd: []string{"RESET", "CAP_ADD_ONE", "CAP_FOO"}, |
There was a problem hiding this comment.
nit: test also with "RESET", "ALL" ?
I can move the last commit to a separate PR; I don't think it's critical to have it, and we can add it after that, so if it requires more discussion, we can do so separately |
thaJeztah
force-pushed
the
carry_service_caps
branch
from
10b529e to
9503729
Compare
|
@silvin-lubecki @albers updated this one, and moved the |
|
@tiborvass @cpuguy83 PTAL |
|
I've been waiting for this! Is it going to be in 19.03 or a newer version? Any idea when it will get released? |
|
this will be in the upcoming 20.xx release |
|
Isn't this in the master branch? I tried installing docker-ce docker-ce-cli and containerd.io from the nightly build, however I still get "Ignoring unsupported options: cap_add" |
|
I think there's an issue with the nightly builds currently not being updated; this should be in the docker v20.10 release candidates in the testing channel (GA should be released soon) |
|
Look forward it! |
|
I'm getting the same "Ignoring unsupported options: cap_add" on 20.10 |
|
It does not work on Docker Desktop for Windows 3.0. I tried I don't get the data in This is in regards to https://stackoverflow.com/questions/65241151/running-haveged-in-docker-swarm |
12 participants
carries #2663
closes #1940
closes #2199
closes #2663
Fixes moby/moby#25885
- What I did
This PR supersedes #1940 and #2199. I removed the support of
privilegedoption from the original PR as I believe privileged containers involve more than just having the complete set of capabilities (eg. no user namespace, the unconfined AppArmor profile is used, etc...).docker stack deploynow supportscap_addandcap_dropoptions ;docker service create|updatenow support--cap-addand--cap-dropflags. For theupdatecommand and unlike most of other options, those flags don't have-add&-rmvariants as this would make a poor UX (eg.--cap-add-add&--cap-drop-rm). Instead,updateCapabilitiestakes care of stripping caps provided to--cap-addfromCapabilityDrop(and vice versa) ;docker service inspect --prettydisplays the list of added caps and dropped caps ;- How I did it
ServiceSpec;updateCapabilities()has been introduced and is called byupdateService;- How to verify it
docker stack deploydocker service createdocker service updatedocker service inspect- Description for the changelog
Add
cap_addandcap_dropsupport todocker stack deployand--cap-addand--cap-dropflags todocker service create|update.- A picture of a cute animal (not mandatory but encouraged)