service: Add --cap-add & --cap-drop to service cmds

Signed-off-by: Albin Kerouanton <albin@akerouanton.name>
2020-07-29 14:35:51 +02:00 · 2020-07-29 14:35:51 +02:00 · c6ec4e081e
parent 0db61ff6da
commit c6ec4e081e
4 changed files with 151 additions and 0 deletions
--- a/cli/command/service/formatter.go
+++ b/cli/command/service/formatter.go
@ -97,6 +97,15 @@ ContainerSpec:
 {{- if .ContainerUser }}
 User: {{ .ContainerUser }}
 {{- end }}
 {{- if .HasCapabilities }}
 Capabilities:
 {{- if .HasCapabilityAdd }}
 Add: {{ .CapabilityAdd }}
 {{- end }}
 {{- if .HasCapabilityDrop }}
 Drop: {{ .CapabilityDrop }}
 {{- end }}
 {{- end }}
 {{- if .ContainerSysCtls }}
 SysCtls:
 {{- range $k, $v := .ContainerSysCtls }}
@ -532,6 +541,26 @@ func (ctx *serviceInspectContext) Ports() []swarm.PortConfig {
 	return ctx.Service.Endpoint.Ports
 }
 func (ctx *serviceInspectContext) HasCapabilities() bool {
 	return len(ctx.Service.Spec.TaskTemplate.ContainerSpec.CapabilityAdd) > 0 || len(ctx.Service.Spec.TaskTemplate.ContainerSpec.CapabilityDrop) > 0
 }
 func (ctx *serviceInspectContext) HasCapabilityAdd() bool {
 	return len(ctx.Service.Spec.TaskTemplate.ContainerSpec.CapabilityAdd) > 0
 }
 func (ctx *serviceInspectContext) HasCapabilityDrop() bool {
 	return len(ctx.Service.Spec.TaskTemplate.ContainerSpec.CapabilityDrop) > 0
 }
 func (ctx *serviceInspectContext) CapabilityAdd() string {
 	return strings.Join(ctx.Service.Spec.TaskTemplate.ContainerSpec.CapabilityAdd, ", ")
 }
 func (ctx *serviceInspectContext) CapabilityDrop() string {
 	return strings.Join(ctx.Service.Spec.TaskTemplate.ContainerSpec.CapabilityDrop, ", ")
 }
 const (
 	defaultServiceTableFormat = "table {{.ID}}\t{{.Name}}\t{{.Mode}}\t{{.Replicas}}\t{{.Image}}\t{{.Ports}}"
--- a/cli/command/service/opts.go
+++ b/cli/command/service/opts.go
@ -506,6 +506,8 @@ type serviceOptions struct {
 	dnsOption       opts.ListOpts
 	hosts           opts.ListOpts
 	sysctls         opts.ListOpts
 	capAdd          opts.ListOpts
 	capDrop         opts.ListOpts
 	resources resourceOptions
 	stopGrace opts.DurationOpt
@ -549,6 +551,8 @@ func newServiceOptions() *serviceOptions {
 		dnsSearch:       opts.NewListOpts(opts.ValidateDNSSearch),
 		hosts:           opts.NewListOpts(opts.ValidateExtraHost),
 		sysctls:         opts.NewListOpts(nil),
 		capAdd:          opts.NewListOpts(nil),
 		capDrop:         opts.NewListOpts(nil),
 	}
 }
@ -716,6 +720,8 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N
 				Healthcheck:     healthConfig,
 				Isolation:       container.Isolation(options.isolation),
 				Sysctls:         opts.ConvertKVStringsToMap(options.sysctls.GetAll()),
 				CapabilityAdd:   options.capAdd.GetAll(),
 				CapabilityDrop:  options.capDrop.GetAll(),
 			},
 			Networks:      networks,
 			Resources:     resources,
@ -818,6 +824,10 @@ func addServiceFlags(flags *pflag.FlagSet, opts *serviceOptions, defaultFlagValu
 	flags.StringVar(&opts.hostname, flagHostname, "", "Container hostname")
 	flags.SetAnnotation(flagHostname, "version", []string{"1.25"})
 	flags.Var(&opts.entrypoint, flagEntrypoint, "Overwrite the default ENTRYPOINT of the image")
 	flags.Var(&opts.capAdd, flagCapAdd, "Add Linux capabilities")
 	flags.SetAnnotation(flagCapAdd, "version", []string{"1.41"})
 	flags.Var(&opts.capDrop, flagCapDrop, "Drop Linux capabilities")
 	flags.SetAnnotation(flagCapDrop, "version", []string{"1.41"})
 	flags.Var(&opts.resources.limitCPU, flagLimitCPU, "Limit CPUs")
 	flags.Var(&opts.resources.limitMemBytes, flagLimitMemory, "Limit Memory")
@ -1001,6 +1011,8 @@ const (
 	flagConfigAdd               = "config-add"
 	flagConfigRemove            = "config-rm"
 	flagIsolation               = "isolation"
 	flagCapAdd                  = "cap-add"
 	flagCapDrop                 = "cap-drop"
 )
 func validateAPIVersion(c swarm.ServiceSpec, serverAPIVersion string) error {
--- a/cli/command/service/update.go
+++ b/cli/command/service/update.go
@ -505,6 +505,7 @@ func updateService(ctx context.Context, apiClient client.NetworkAPIClient, flags
 	}
 	updateString(flagStopSignal, &cspec.StopSignal)
 	updateCapabilities(flags, cspec)
 	return nil
 }
@ -1349,3 +1350,41 @@ func updateCredSpecConfig(flags *pflag.FlagSet, containerSpec *swarm.ContainerSp
 		containerSpec.Privileges.CredentialSpec = credSpec
 	}
 }
 func updateCapabilities(flags *pflag.FlagSet, containerSpec *swarm.ContainerSpec) {
 	var addToRemove, dropToRemove map[string]struct{}
 	capAdd := containerSpec.CapabilityAdd
 	capDrop := containerSpec.CapabilityDrop
 	// First add the capabilities passed to --cap-add to the list of requested caps
 	if flags.Changed(flagCapAdd) {
 		caps := flags.Lookup(flagCapAdd).Value.(*opts.ListOpts).GetAll()
 		capAdd = append(capAdd, caps...)
 		dropToRemove = buildToRemoveSet(flags, flagCapAdd)
 	}
 	// And add the capabilities passed to --cap-drop to the list of dropped caps
 	if flags.Changed(flagCapDrop) {
 		caps := flags.Lookup(flagCapDrop).Value.(*opts.ListOpts).GetAll()
 		capDrop = append(capDrop, caps...)
 		addToRemove = buildToRemoveSet(flags, flagCapDrop)
 	}
 	// Then take care of removing caps passed to --cap-drop from the list of requested caps
 	containerSpec.CapabilityAdd = make([]string, 0, len(capAdd))
 	for _, cap := range capAdd {
 		if _, exists := addToRemove[cap]; !exists {
 			containerSpec.CapabilityAdd = append(containerSpec.CapabilityAdd, cap)
 		}
 	}
 	// And remove the caps passed to --cap-add from the list of caps to drop
 	containerSpec.CapabilityDrop = make([]string, 0, len(capDrop))
 	for _, cap := range capDrop {
 		if _, exists := dropToRemove[cap]; !exists {
 			containerSpec.CapabilityDrop = append(containerSpec.CapabilityDrop, cap)
 		}
 	}
 }
--- a/cli/command/service/update_test.go
+++ b/cli/command/service/update_test.go
@ -1342,3 +1342,74 @@ func TestUpdateCredSpec(t *testing.T) {
 		})
 	}
 }
 func TestUpdateCaps(t *testing.T) {
 	tests := []struct {
 		// name is the name of the testcase
 		name string
 		// flagAdd is the value passed to --cap-add
 		flagAdd []string
 		// flagDrop is the value passed to --cap-drop
 		flagDrop []string
 		// spec is the original ContainerSpec, before being updated
 		spec *swarm.ContainerSpec
 		// expectedAdd is the set of requested caps the ContainerSpec should have once updated
 		expectedAdd []string
 		// expectedDrop is the set of dropped caps the ContainerSpec should have once updated
 		expectedDrop []string
 	}{
 		{
 			name:         "Add new caps",
 			flagAdd:      []string{"NET_ADMIN"},
 			flagDrop:     []string{},
 			spec:         &swarm.ContainerSpec{},
 			expectedAdd:  []string{"NET_ADMIN"},
 			expectedDrop: []string{},
 		},
 		{
 			name:         "Drop new caps",
 			flagAdd:      []string{},
 			flagDrop:     []string{"CAP_MKNOD"},
 			spec:         &swarm.ContainerSpec{},
 			expectedAdd:  []string{},
 			expectedDrop: []string{"CAP_MKNOD"},
 		},
 		{
 			name:     "Add a previously dropped cap",
 			flagAdd:  []string{"NET_ADMIN"},
 			flagDrop: []string{},
 			spec: &swarm.ContainerSpec{
 				CapabilityDrop: []string{"NET_ADMIN"},
 			},
 			expectedAdd:  []string{"NET_ADMIN"},
 			expectedDrop: []string{},
 		},
 		{
 			name:     "Drop a previously requested cap",
 			flagAdd:  []string{},
 			flagDrop: []string{"CAP_MKNOD"},
 			spec: &swarm.ContainerSpec{
 				CapabilityAdd: []string{"CAP_MKNOD"},
 			},
 			expectedAdd:  []string{},
 			expectedDrop: []string{"CAP_MKNOD"},
 		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			flags := newUpdateCommand(nil).Flags()
 			for _, cap := range tc.flagAdd {
 				flags.Set(flagCapAdd, cap)
 			}
 			for _, cap := range tc.flagDrop {
 				flags.Set(flagCapDrop, cap)
 			}
 			updateCapabilities(flags, tc.spec)
 			assert.DeepEqual(t, tc.spec.CapabilityAdd, tc.expectedAdd)
 			assert.DeepEqual(t, tc.spec.CapabilityDrop, tc.expectedDrop)
 		})
 	}
 }