Conversation
This reverts commit 18d9170. This is reverted to replace with a different model since a full cap list specified on clients means the client must specify the base cap spec for nodes it may not know about. Instead we intend to split this into add/drop lists.
|
ping @dperny @thaJeztah @tonistiigi |
|
We'd like to get this in for the upcoming docker release. |
cpuguy83
force-pushed
the
replace_capabilities_api
branch
2 times, most recently
from
6bf5542 to
e4e95c8
Compare
|
Looks like protos have to be regenerated; |
|
Grr... I definitely ran this... |
|
Perhaps CI is using a different version 😞 |
cpuguy83
force-pushed
the
replace_capabilities_api
branch
2 times, most recently
from
5e6d7d5 to
5ba713b
Compare
|
I'm in a meeting right now so I can't do a full review, but I will do a full review in about 2 hours. In the meantime:
|
|
Yes, this is pretty funny. |
|
Also of note for UX... removing
|
|
This looks good to me. It will of course need changes to the executor in the engine, but those should be easy. For fixing the tests, the code in You'll need to change code in the |
This allows clients to specify capabilities to add or drop form the default capability. Signed-off-by: Brian Goff <[email protected]>
cpuguy83
force-pushed
the
replace_capabilities_api
branch
from
5ba713b to
06a0d2d
Compare
|
Fixed it. Just for some reason the docker type uses strslice.Strslice instead of a straight up |
Codecov Report
@@ Coverage Diff @@
## master #2965 +/- ##
==========================================
+ Coverage 61.74% 61.79% +0.05%
==========================================
Files 142 142
Lines 22998 22999 +1
==========================================
+ Hits 14199 14212 +13
+ Misses 7298 7285 -13
- Partials 1501 1502 +1 |
|
merged |
|
Thanks! |
This is a follow-up of moby#2965. Signed-off-by: Albin Kerouanton <[email protected]>
5 participants
After extended discussion with moby/moby maintainers, we feel the existing API (not yet released) for supplying a capabilities list is not very useful since it requires clients to know the full list of capabilities, which usually isn't known... so instead we fall back to a default, which is already defined on the engine, but because the client needs to specify the capabilities, the client also has it's own default list.
With the old method, the full cap list is also encoded in the service spec which means the default cannot be changed except by the client.
If the client still wants to define the full list themselves they can
--cap-drop ALL -cap-add CAP_FOO