actool: allow patch-manifest to override caps isolators

This commit unifies patch-manifest behavior so that --capability and --revoke-capability are able to override existing isolators. It will also remove one possible way of generating invalid manifests with multiple conflicting capabilitiess isolators.
appc · Jul 8, 2016 · 7b258ea · 7b258ea
1 parent 66a50da
commit 7b258ea
Showing 1 changed file with 22 additions and 29 deletions.
diff --git a/actool/manifest.go b/actool/manifest.go
@@ -18,6 +18,7 @@ import (
 	"archive/tar"
 	"compress/gzip"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -205,41 +206,33 @@ func patchManifest(im *schema.ImageManifest) error {
 		}
 	}
 
-	if patchCaps != "" {
-		isolator := app.Isolators.GetByName(types.LinuxCapabilitiesRetainSetName)
-		if isolator != nil {
-			return fmt.Errorf("isolator already exists (os/linux/capabilities-retain-set)")
-		}
-
-		// Instantiate a Isolator with the content specified by the --capability
-		// parameter.
-		caps, err := types.NewLinuxCapabilitiesRetainSet(strings.Split(patchCaps, ",")...)
-		if err != nil {
-			return fmt.Errorf("cannot parse capability %q: %v", patchCaps, err)
-		}
-		isolator, err = caps.AsIsolator()
-		if err != nil {
-			return err
-		}
-		app.Isolators = append(app.Isolators, *isolator)
+	if patchCaps != "" && patchRevokeCaps != "" {
+		return errors.New("conflicting capabilities isolators provided")
 	}
-	if patchRevokeCaps != "" {
-		isolator := app.Isolators.GetByName(types.LinuxCapabilitiesRevokeSetName)
-		if isolator != nil {
-			return fmt.Errorf("isolator already exists (os/linux/capabilities-remove-set)")
+	if patchCaps != "" || patchRevokeCaps != "" {
+		var capsIsolator *types.Isolator
+		var err error
+		if patchCaps != "" {
+			// Instantiate Isolator with content specified by --capability
+			caps, err := types.NewLinuxCapabilitiesRetainSet(strings.Split(patchCaps, ",")...)
+			if err != nil {
+				return fmt.Errorf("cannot parse capability retain set %q: %v", patchCaps, err)
+			}
+			capsIsolator, err = caps.AsIsolator()
 		}
-
-		// Instantiate a Isolator with the content specified by the --revoke-capability
-		// parameter.
-		caps, err := types.NewLinuxCapabilitiesRevokeSet(strings.Split(patchRevokeCaps, ",")...)
-		if err != nil {
-			return fmt.Errorf("cannot parse capability %q: %v", patchRevokeCaps, err)
+		if patchRevokeCaps != "" {
+			// Instantiate Isolator with content specified by --revoke-capability
+			caps, err := types.NewLinuxCapabilitiesRevokeSet(strings.Split(patchRevokeCaps, ",")...)
+			if err != nil {
+				return fmt.Errorf("cannot parse capability remove set %q: %v", patchRevokeCaps, err)
+			}
+			capsIsolator, err = caps.AsIsolator()
 		}
-		isolator, err = caps.AsIsolator()
 		if err != nil {
 			return err
 		}
-		app.Isolators = append(app.Isolators, *isolator)
+		capsKeys := []types.ACIdentifier{types.LinuxCapabilitiesRevokeSetName, types.LinuxCapabilitiesRetainSetName}
+		app.Isolators.ReplaceIsolatorsByName(*capsIsolator, capsKeys)
 	}
 
 	if patchMounts != "" {