Skip to content

Commit

Permalink
Add support for --cap-drop
Browse files Browse the repository at this point in the history
 - Support for --cap-add was added as part of
   GoogleContainerTools#327

 - This rounds out the feature set to also include support for
   --cap-drop

 - Updates tests to drop "chown" capability and verify doing so works

 - closes GoogleContainerTools#389
  • Loading branch information
ddl-ebrown committed Feb 29, 2024
1 parent 048f4eb commit e3c9a68
Show file tree
Hide file tree
Showing 7 changed files with 39 additions and 16 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,8 @@ containerRunOptions:
- OTHER_SECRET_BAR
capabilities: # Add list of Linux capabilities (--cap-add)
- NET_BIND_SERVICE
drop_capabilities: # Drop list of Linux capabilities (--cap-drop)
- NET_BIND_SERVICE
bindMounts: # Bind mount a volume (--volume, -v)
- /etc/example/dir:/etc/dir
```
Expand Down
19 changes: 11 additions & 8 deletions pkg/drivers/docker_driver.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,14 @@ import (
"bufio"
"bytes"
"fmt"
"github.com/joho/godotenv"
"io"
"os"
"path"
"path/filepath"
"strings"

"github.com/joho/godotenv"

"github.com/pkg/errors"
"github.com/sirupsen/logrus"

Expand Down Expand Up @@ -66,17 +67,19 @@ func NewDockerDriver(args DriverConfig) (Driver, error) {
func (d *DockerDriver) hostConfig() *docker.HostConfig {
if d.runOpts.IsSet() && d.runtime != "" {
return &docker.HostConfig{
Capabilities: d.runOpts.Capabilities,
Binds: d.runOpts.BindMounts,
Privileged: d.runOpts.Privileged,
Runtime: d.runtime,
CapAdd: d.runOpts.CapAdd,
CapDrop: d.runOpts.CapDrop,
Binds: d.runOpts.BindMounts,
Privileged: d.runOpts.Privileged,
Runtime: d.runtime,
}
}
if d.runOpts.IsSet() {
return &docker.HostConfig{
Capabilities: d.runOpts.Capabilities,
Binds: d.runOpts.BindMounts,
Privileged: d.runOpts.Privileged,
CapAdd: d.runOpts.CapAdd,
CapDrop: d.runOpts.CapDrop,
Binds: d.runOpts.BindMounts,
Privileged: d.runOpts.Privileged,
}
}
if d.runtime != "" {
Expand Down
18 changes: 10 additions & 8 deletions pkg/types/unversioned/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,13 +45,14 @@ type Config struct {
}

type ContainerRunOptions struct {
User string
Privileged bool
TTY bool `yaml:"allocateTty"`
EnvVars []string `yaml:"envVars"`
EnvFile string `yaml:"envFile"`
Capabilities []string
BindMounts []string `yaml:"bindMounts"`
User string
Privileged bool
TTY bool `yaml:"allocateTty"`
EnvVars []string `yaml:"envVars"`
EnvFile string `yaml:"envFile"`
CapAdd []string `yaml:"capabilities"`
CapDrop []string `yaml:"drop_capabilities"`
BindMounts []string `yaml:"bindMounts"`
}

func (opts *ContainerRunOptions) IsSet() bool {
Expand All @@ -60,7 +61,8 @@ func (opts *ContainerRunOptions) IsSet() bool {
opts.TTY ||
len(opts.EnvFile) > 0 ||
(opts.EnvVars != nil && len(opts.EnvVars) > 0) ||
(opts.Capabilities != nil && len(opts.Capabilities) > 0) ||
(opts.CapAdd != nil && len(opts.CapAdd) > 0) ||
(opts.CapDrop != nil && len(opts.CapDrop) > 0) ||
(opts.BindMounts != nil && len(opts.BindMounts) > 0)
}

Expand Down
4 changes: 4 additions & 0 deletions tests/amd64/ubuntu_22_04_containeropts_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ commandTests:
args: ["--print"]
expectedOutput:
- ".*cap_sys_admin.*"
excludedOutput:
- ".*chown.*"
- name: "Test bindMounts containerRunOptions"
command: "test"
args:
Expand All @@ -15,5 +17,7 @@ containerRunOptions:
privileged: true
capabilities:
- "sys_admin"
drop_capabilities:
- "chown"
bindMounts:
- "/tmp/test:/tmp/test"
4 changes: 4 additions & 0 deletions tests/arm64/ubuntu_22_04_containeropts_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ commandTests:
args: ["--print"]
expectedOutput:
- ".*cap_sys_admin.*"
excludedOutput:
- ".*chown.*"
- name: "Test bindMounts containerRunOptions"
command: "test"
args:
Expand All @@ -15,5 +17,7 @@ containerRunOptions:
privileged: true
capabilities:
- "sys_admin"
drop_capabilities:
- "chown"
bindMounts:
- "/tmp/test:/tmp/test"
4 changes: 4 additions & 0 deletions tests/ppc64le/ubuntu_22_04_containeropts_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ commandTests:
args: ["--print"]
expectedOutput:
- ".*cap_sys_admin.*"
excludedOutput:
- ".*chown.*"
- name: "Test bindMounts containerRunOptions"
command: "test"
args:
Expand All @@ -15,5 +17,7 @@ containerRunOptions:
privileged: true
capabilities:
- "sys_admin"
drop_capabilities:
- "chown"
bindMounts:
- "/tmp/test:/tmp/test"
4 changes: 4 additions & 0 deletions tests/s390x/ubuntu_22_04_containeropts_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ commandTests:
args: ["--print"]
expectedOutput:
- ".*cap_sys_admin.*"
excludedOutput:
- ".*chown.*"
- name: "Test bindMounts containerRunOptions"
command: "test"
args:
Expand All @@ -15,5 +17,7 @@ containerRunOptions:
privileged: true
capabilities:
- "sys_admin"
drop_capabilities:
- "chown"
bindMounts:
- "/tmp/test:/tmp/test"

0 comments on commit e3c9a68

Please sign in to comment.