Add support for exact list of capabilities + capAdd / capDrop refactor

[olljanat]

- What I did
Added support for exact list of capabilities list of container capabilities which can be used instead of these CapAdd and CapDrop like discussed on #26849 (comment)

and refactored capAdd and capDrop to share as much code as possible with this new feature.

- How I did it
In cooperation with @thaJeztah 😉

- How to verify it
CI makes sure that existing functionality works like expected and new integration tests verify that new functionality works correctly.

- Description for the changelog

• Add support for exact list of capabilities, support only OCI model
• Support OCI model on CapAdd and CapDrop but remain backward compatibility
• Create variable locally instead of declaring it at the top
• Use const for magic "ALL" value
• Rename cap variable as it overlaps with cap() built-in
• Normalize and validate capabilities before use
• Move validation for conflicting options to validateHostConfig()
• TweakCapabilities: simplify logic to calculate capabilities

- Comments
First step to solve #25885 , #24862 and moby/swarmkit#1030
Replaces #26849
Dependency for moby/swarmkit#2795

[codecov]

Codecov Report

Merging #38380 into master will increase coverage by 0.01%.
The diff coverage is 16.66%.

@@            Coverage Diff             @@
##           master   #38380      +/-   ##
==========================================
+ Coverage    36.6%   36.61%   +0.01%     
==========================================
  Files         608      608              
  Lines       45224    45241      +17     
==========================================
+ Hits        16553    16567      +14     
+ Misses      26384    26383       -1     
- Partials     2287     2291       +4

[olljanat]

@thaJeztah looks working fine with moby/swarmkit#2795 so can you review and give your thoughts?

Docs updates are not included yet on purpose because I would get #37940 merged first and don't want cause conflicts with it.

[thaJeztah]

Thanks for working on this! I left some comments inline.

[olljanat]

@thaJeztah updated based on feedback 😎

EDIT: Also modified to API comment to use same format than on #38381

[thaJeztah]

Also, if we change how we store this information in the container's spec on disk (not sure we do, just thinking out loud), we need to verify that the daemon will still support containers that are created with an older version, and doesn't doesn't prevent those from being started

[olljanat]

Also, if we change how we store this information in the container's spec on disk (not sure we do, just thinking out loud), we need to verify that the daemon will still support containers that are created with an older version, and doesn't doesn't prevent those from being started

No we don't change this. Container spec is stored like it is provided to API. Normalization for CapAdd / CapDrop happens when container starts.

There is quite many old test cases on

moby/integration-cli/docker_cli_run_test.go

Lines 977 to 1073 in c8ff5ec

	func (s *DockerSuite) TestRunCapDropInvalid(c *check.C) {
	// Not applicable for Windows as there is no concept of --cap-drop
	testRequires(c, DaemonIsLinux)
	out, _, err := dockerCmdWithError("run", "--cap-drop=CHPASS", "busybox", "ls")
	if err == nil {
	c.Fatal(err, out)
	}
	}
	func (s *DockerSuite) TestRunCapDropCannotMknod(c *check.C) {
	// Not applicable for Windows as there is no concept of --cap-drop or mknod
	testRequires(c, DaemonIsLinux)
	out, _, err := dockerCmdWithError("run", "--cap-drop=MKNOD", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
	if err == nil {
	c.Fatal(err, out)
	}
	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
	c.Fatalf("expected output not ok received %s", actual)
	}
	}
	func (s *DockerSuite) TestRunCapDropCannotMknodLowerCase(c *check.C) {
	// Not applicable for Windows as there is no concept of --cap-drop or mknod
	testRequires(c, DaemonIsLinux)
	out, _, err := dockerCmdWithError("run", "--cap-drop=mknod", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
	if err == nil {
	c.Fatal(err, out)
	}
	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
	c.Fatalf("expected output not ok received %s", actual)
	}
	}
	func (s *DockerSuite) TestRunCapDropALLCannotMknod(c *check.C) {
	// Not applicable for Windows as there is no concept of --cap-drop or mknod
	testRequires(c, DaemonIsLinux)
	out, _, err := dockerCmdWithError("run", "--cap-drop=ALL", "--cap-add=SETGID", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
	if err == nil {
	c.Fatal(err, out)
	}
	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
	c.Fatalf("expected output not ok received %s", actual)
	}
	}
	func (s *DockerSuite) TestRunCapDropALLAddMknodCanMknod(c *check.C) {
	// Not applicable for Windows as there is no concept of --cap-drop or mknod
	testRequires(c, DaemonIsLinux, NotUserNamespace)
	out, _ := dockerCmd(c, "run", "--cap-drop=ALL", "--cap-add=MKNOD", "--cap-add=SETGID", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
	c.Fatalf("expected output ok received %s", actual)
	}
	}
	func (s *DockerSuite) TestRunCapAddInvalid(c *check.C) {
	// Not applicable for Windows as there is no concept of --cap-add
	testRequires(c, DaemonIsLinux)
	out, _, err := dockerCmdWithError("run", "--cap-add=CHPASS", "busybox", "ls")
	if err == nil {
	c.Fatal(err, out)
	}
	}
	func (s *DockerSuite) TestRunCapAddCanDownInterface(c *check.C) {
	// Not applicable for Windows as there is no concept of --cap-add
	testRequires(c, DaemonIsLinux)
	out, _ := dockerCmd(c, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
	c.Fatalf("expected output ok received %s", actual)
	}
	}
	func (s *DockerSuite) TestRunCapAddALLCanDownInterface(c *check.C) {
	// Not applicable for Windows as there is no concept of --cap-add
	testRequires(c, DaemonIsLinux)
	out, _ := dockerCmd(c, "run", "--cap-add=ALL", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
	c.Fatalf("expected output ok received %s", actual)
	}
	}
	func (s *DockerSuite) TestRunCapAddALLDropNetAdminCanDownInterface(c *check.C) {
	// Not applicable for Windows as there is no concept of --cap-add
	testRequires(c, DaemonIsLinux)
	out, _, err := dockerCmdWithError("run", "--cap-add=ALL", "--cap-drop=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
	if err == nil {
	c.Fatal(err, out)
	}
	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
	c.Fatalf("expected output not ok received %s", actual)
	}
	}

which should make sure that old configs works.

[thaJeztah]

Thanks @olljanat!

I left comments inline, but was going through these changes and that the validation only take place on docker start (not on docker create).

I have some ideas, but probably faster to show those instead of trying to explain them; I'll work on a branch so that you can incorporate those changes in your PR if you agree with them 🤗

Will post a link once if made those changes 👍

[thaJeztah]

Pushed a branch here; I split my changes into several commits, to make it easier to grasp what I did 😅 master...thaJeztah:capabilities_support_move_to_create

(or diff compared to your branch; olljanat/moby@capabilities-support...thaJeztah:capabilities_support_move_to_create)

[thaJeztah]

oh, hold on, pushed one outdated commit; fixing

[thaJeztah]

done 👍

[olljanat]

I have some ideas, but probably faster to show those instead of trying to explain them; I'll work on a branch so that you can incorporate those changes in your PR if you agree with them

@thaJeztah those looks good on quick view. Will do some testing with them but I included them already so we can see result of CI.

[olljanat]

One "minor" thing. --cap-add or --cap-drop does not work anymore so CI should fail to it. Let's see. I will look if I find why it is so.

EDIT: Found it. Fixed on olljanat@d5404a7 but I will wait that CI finishes so we can see that it really finds those failures.

EDIT 2: Yes. Looks correct: https://jenkins.dockerproject.org/job/Docker-PRs/52704/console

[olljanat]

@thaJeztah I'm not sure if that is correct way but I rebased this now to one commit which is signed off by both of us (have seen that on some old commits too).

[thaJeztah]

but I rebased this now to one commit which is signed off by both of us (have seen that on some old commits too).

That sounds ok 👍
(I don't need the credits for this, so no need to keep my commits separate)

[olljanat]

LGTM, but I do think we should fix the issue that you can't say CAP_SYS_ADMIN you have to say SYS_ADMIN before we ship this, and accept either form as this won't break anything.

@justincormack now this is handled. PTAL

[thaJeztah]

LGTM (saw I still had "changes requested")

[thaJeztah]

(We can look at the client normalising the values in a follow-up (probably limiting to uppercasing values before sending them over the API))

[olljanat]

@AkihiroSuda can you look this one again as it was heavily modified after your last review?

[thaJeztah]

I think this should be ready to go; merging.

@AkihiroSuda let me know if there's follow-ups to do after this is merged 🤗

[AkihiroSuda]

LGTM

[olljanat]

@presidenten no. up to date status is visible on this message: #25885 (comment)

Target is get complete solution out part of 19.06.