lcow: Allow the client to adjust capabilities and device cgroup rules by jstarks · Pull Request #37294 · moby/moby

jstarks · 2018-06-15T22:47:12Z

- What I did
Allowed LCOW clients to pass --cap-add, --device-group-rule etc. to customize the capabilities and device cgroup rules for their containers.
- How I did it
Moved the capabilities- and device cgroup-related OCI spec creation code from Linux-specific code to a common area.
- How to verify it
docker run --cap-add=SYSLOG ubuntu dmesg now succeeds on LCOW.
- Description for the changelog
Allow the client to customize capabilities and device cgroup rules for LCOW containers

- A picture of a cute animal (not mandatory but encouraged)

jstarks · 2018-06-15T22:47:22Z

@jhowardmsft PTAL

Signed-off-by: John Starks <jostarks@microsoft.com>

lowenna

Nice. LGTM.

@johnstep PTAL

thaJeztah

Two minor nits, but overall looks okay

thaJeztah · 2018-06-15T23:34:36Z

daemon/oci_windows.go

 	s.Root.Path = "rootfs"
 	s.Root.Readonly = c.HostConfig.ReadonlyRootfs
+	if err := setCapabilities(s, c); err != nil {
+		return fmt.Errorf("linux spec capabilities: %v", err)


Perhaps "failed to set ....." ?

Also may want to use errors.Wrap(err, "failed to set ...") to preserve the original error

I copied these errors from the Linux use of the functions. Do you want me to update both places or leave it as is?

(Maybe better to avoid duplication altogether but doing that in this change seemed to be more trouble than its worth right now.)

Ah! Didn't check be Linux equivalent, but now recall I saw those at some point and wanted to update them.

Let's keep them as-is for now to be consistent, and keep it for a separate PR to improve if we want to

thaJeztah · 2018-06-15T23:39:16Z

daemon/oci_windows.go

+	}
+	devPermissions, err := appendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
+	if err != nil {
+		return fmt.Errorf("linux runtime spec devices: %v", err)


Same here (errors.Wrap()), and perhaps failed to .... (or something along that line)

johnstep

LGTM

thaJeztah

LGTM

yongtang · 2018-06-17T22:46:58Z

The only failure is:

FAIL: docker_cli_daemon_test.go:1800: DockerDaemonSuite.TestDaemonNoSpaceLeftOnDeviceError

which I think is unrelated.

thaJeztah · 2018-06-20T00:24:12Z

That failure will be addressed through #37315

thaJeztah · 2018-06-20T05:13:54Z

same test failed again; but it's unrelated, so merging

itsgk92 · 2019-01-24T09:15:20Z

Is there a edge release available for this yet?

thaJeztah · 2019-01-24T10:09:13Z

@itsgk92 this was merged un June last year, and is part of Docker 18.06 and up

itsgk92 · 2019-01-24T12:00:18Z

I couldn't find it working. #38631

GordonTheTurtle added the status/0-triage label Jun 15, 2018

lcow: Allow the client to add or remove capabilities

349aeea

Signed-off-by: John Starks <jostarks@microsoft.com>

jstarks force-pushed the lcow_caps branch from fd42bab to 349aeea Compare June 15, 2018 23:03

lcow: Allow the client to add device cgroup rules

e9268d9

Signed-off-by: John Starks <jostarks@microsoft.com>

jstarks changed the title ~~lcow: Allow the client to add or remove capabilities~~ lcow: Allow the client to adjust capabilities and device cgroup rules Jun 15, 2018

lowenna approved these changes Jun 15, 2018

View reviewed changes

lowenna added status/2-code-review and removed status/0-triage labels Jun 15, 2018

thaJeztah added kind/experimental platform/windows labels Jun 15, 2018

thaJeztah requested changes Jun 15, 2018

View reviewed changes

thaJeztah added the impact/changelog label Jun 15, 2018

johnstep approved these changes Jun 16, 2018

View reviewed changes

thaJeztah added the rebuild/* label Jun 16, 2018

GordonTheTurtle removed the rebuild/* label Jun 16, 2018

thaJeztah approved these changes Jun 16, 2018

View reviewed changes

thaJeztah added status/4-merge and removed status/2-code-review labels Jun 16, 2018

yongtang added rebuild/powerpc labels Jun 17, 2018

GordonTheTurtle removed rebuild/powerpc labels Jun 17, 2018

vdemeester added the rebuild/powerpc label Jun 18, 2018

GordonTheTurtle removed the rebuild/powerpc label Jun 18, 2018

notanaverageman mentioned this pull request Jun 19, 2018

Implemented memory and CPU limits for LCOW. #37296

Merged

AkihiroSuda added the rebuild/powerpc label Jun 19, 2018

GordonTheTurtle removed the rebuild/powerpc label Jun 19, 2018

thaJeztah merged commit e259323 into moby:master Jun 20, 2018

lowenna mentioned this pull request Jul 2, 2018

LCOW: docker run --user seems to be ignored #36469

Closed

lowenna mentioned this pull request Aug 13, 2018

Using --cap-add sys_resource does not work on Windows Server 1709 with Docker EE 17.10 #35943

Closed

thaJeztah added the area/lcow Issues and PR's related to the experimental LCOW feature label Oct 30, 2018

Conversation

jstarks commented Jun 15, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jstarks commented Jun 15, 2018

Uh oh!

lowenna left a comment

Choose a reason for hiding this comment

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

thaJeztah Jun 15, 2018

Choose a reason for hiding this comment

Uh oh!

jstarks Jun 16, 2018

Choose a reason for hiding this comment

Uh oh!

thaJeztah Jun 16, 2018

Choose a reason for hiding this comment

Uh oh!

thaJeztah Jun 15, 2018

Choose a reason for hiding this comment

Uh oh!

johnstep left a comment

Choose a reason for hiding this comment

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

yongtang commented Jun 17, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

thaJeztah commented Jun 20, 2018

Uh oh!

thaJeztah commented Jun 20, 2018

Uh oh!

itsgk92 commented Jan 24, 2019

Uh oh!

thaJeztah commented Jan 24, 2019

Uh oh!

itsgk92 commented Jan 24, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

jstarks commented Jun 15, 2018 •

edited

Loading

yongtang commented Jun 17, 2018 •

edited

Loading