Skip to content

Comments

Add support for swarm seccomp and apparmor#46386

Merged
thaJeztah merged 1 commit intomoby:masterfrom
dperny:add-swarm-seccomp-apparmor
Sep 26, 2023
Merged

Add support for swarm seccomp and apparmor#46386
thaJeztah merged 1 commit intomoby:masterfrom
dperny:add-swarm-seccomp-apparmor

Conversation

@dperny
Copy link
Contributor

@dperny dperny commented Aug 31, 2023

- What I did

Added support in Swarm for custom Seccomp profiles, some small amount of AppArmor configuration, and no-new-privileges.

- How I did it

Swarmkit has the necessary plumbing for these fields added, and now it's wired up in the engine.

- How to verify it

- Description for the changelog

Added Swarm support for seccomp, AppArmor, and no-new-privileges.

corhere
corhere reviewed Aug 31, 2023
View reviewed changes
daemon/cluster/executor/container/container.go Outdated
if seccomp != nil {
switch seccomp.Mode {
case api.Privileges_SeccompOpts_DEFAULT:
// TODO(dperny): DO NOT MERGE WITHOUT THIS QUESTION ANSWERED!
Copy link
Contributor

@corhere corhere Aug 31, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this PR be converted to draft until this question is answered?

Copy link
Contributor Author

@dperny dperny Sep 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This review comment is why I put this code comment. Knew I would forget about it.

@dperny dperny force-pushed the add-swarm-seccomp-apparmor branch from a6ba8ee to d86dfbb Compare September 5, 2023 15:46
thaJeztah
thaJeztah reviewed Sep 11, 2023
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some very minor comments, also could you add entries to https://github.com/moby/moby/blob/master/docs/api/version-history.md to mention the new options (which apply to both POST /services/create and POST /services/{id}/update)

@thaJeztah thaJeztah added status/2-code-review kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny impact/api impact/changelog docs/revisit area/swarm impact/cli labels Sep 11, 2023
@thaJeztah thaJeztah mentioned this pull request Sep 11, 2023
Merged
1 task
@dperny dperny force-pushed the add-swarm-seccomp-apparmor branch from d86dfbb to 73bc6d6 Compare September 14, 2023 16:35
thaJeztah
thaJeztah approved these changes Sep 14, 2023
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

daemon/cluster/convert/container.go
}
}

if c.Privileges.Seccomp != nil {
Copy link
Member

@thaJeztah thaJeztah Sep 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess ideally we'd have some tests added as well, but I'm ok with doing it in a follow-up if we'd like to have this included in the release. I see there's some tests in this package already; https://github.com/moby/moby/tree/78479b19158290e7338ceb3985bb809b83de5fd4/daemon/cluster/executor/container

@thaJeztah
Copy link
Member

thaJeztah commented Sep 14, 2023

ah, dang; needs a rebase, @dperny (version-history.md)

@dperny
Add support for swarm seccomp and apparmor
42a51cb 
And also no-new-privileges

Signed-off-by: Drew Erny <[email protected]>
@dperny dperny force-pushed the add-swarm-seccomp-apparmor branch from 73bc6d6 to 42a51cb Compare September 25, 2023 17:39
@neersighted neersighted requested a review from corhere September 25, 2023 17:39
@thaJeztah thaJeztah added this to the 25.0.0 milestone Sep 26, 2023
@thaJeztah thaJeztah merged commit b94e88c into moby:master Sep 26, 2023
@Qwarctick Qwarctick mentioned this pull request Jan 22, 2024
Open
@Qwarctick
Copy link

Qwarctick commented Feb 28, 2024

Hello @dperny.
Thanks for your PR.
How does this feature is suppose to work ? With the CLI ? With the API ? With the compose file ?

Thanks in advance :)

@neersighted
Copy link
Member

neersighted commented Feb 28, 2024

This is purely backend support; the issue you already linked is the appropriate venue to discuss UI.

@neersighted neersighted mentioned this pull request Apr 2, 2024
Open
@corhere corhere mentioned this pull request Jun 14, 2024
Merged
@dperny dperny mentioned this pull request Dec 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@neersighted neersighted neersighted approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@corhere corhere Awaiting requested review from corhere

Assignees

No one assigned

Labels

area/swarm docs/revisit impact/api impact/changelog impact/cli kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny status/2-code-review

Projects

None yet

Milestone

25.0.0

Development

Successfully merging this pull request may close these issues.

5 participants

@dperny @thaJeztah @Qwarctick @neersighted @corhere