Looks that those moby / swarmkit bumps generates need to modify existing code so will split them to another PR later (if no one else don't do that before me).

Why is this syntax different form the docker-compose syntax? It makes using swarm difficult. We already have a syntax for adding and removing capabilities, can't you use that?

@mterron very valid point. I can investigate that option too. Whole CLI solution is currently bit open that how it should be implemented so all feedback is welcome (discussion is going on moby/moby#25885 (comment) )

PS. Marked this PR to WIP

Codecov Report

Merging #1940 into master will increase coverage by 0.02%.
The diff coverage is 83.33%.

@@            Coverage Diff             @@
##           master    #1940      +/-   ##
==========================================
+ Coverage   56.78%   56.81%   +0.02%     
==========================================
  Files         311      311              
  Lines       21839    21863      +24     
==========================================
+ Hits        12402    12422      +20     
- Misses       8522     8524       +2     
- Partials      915      917       +2

Codecov Report

❗ No coverage uploaded for pull request base (master@4538b15). Click here to learn what that means.
The diff coverage is 83.33%.

@@            Coverage Diff            @@
##             master    #1940   +/-   ##
=========================================
  Coverage          ?   56.81%           
=========================================
  Files             ?      311           
  Lines             ?    21863           
  Branches          ?        0           
=========================================
  Hits              ?    12422           
  Misses            ?     8524           
  Partials          ?      917

@mterron now this works with existing cap_add/cap_drop/privileged syntax. Can you test?

@thaJeztah PTAL

Looks good.

Somebody up merge

Is this the roadmap for this feature?
moby/moby#25885 (comment)

@olljanat this needs a rebase

@kolyshkin for vendor bump yes but can you plz review the actual implementation first?

Rebased. Default capabilities are duplicated here because DefaultCapabilities() -function from github.com/docker/docker/oci cannot be vendored because it would include some other references which does not pass cross compile.

Created moby/moby#40212 which fixes that issue.

@Zerocjx sounds that you are not updated Docker engine (dockerd) to master build. If that does not help plz ping me on Docker community Slack (as that sounds more like usage issue than bug).

@cpuguy83 @alexellis Added now also check for API version because those parameters exists already on earlier engine versions but only API version >= 1.40 support them with stack which would be very confusing for users. Also added requested tests.

@cpuguy83 Starting container without no capabilities at all should works just like on docker run / docker-compose commands where user need specify all default ones to cap_droplist. Another options would be introduce some special capability e.g. NONE (like there actually is ALL already). However I'm not sure if there actually is any real world use case for that scenario? And even if there is probably it would be better to implement it separately?

@olljanat thx. After replace the dockerd with the master dockerd build, it works.

Hi, what is the status of cap_add and cap_drop support in docker stack?

@cpuguy83 @alexellis (and maybe @thaJeztah too? ) please review again after latest changes.

Rebased. @thaJeztah @silvin-lubecki PTAL

ping @thaJeztah @silvin-lubecki

Oh! Exactly what I'm looking for!
I use GDB inside of my docker containers normally and I'm trying to migrate to Swarm, but GDB need STRACE cap to start

How I can test it @olljanat ? I guess I need to manually install this version of CLI and maybe dockerd ?
EDIT: nvm info is in some comments a bit higher :D

@tiborvass I can see that you have merged some PRs to here lately. Maybe you can check this one too?

Please confirm:

A config like the following results in all capabilities instead of no capabilities:

version: "3.8"
services:
    test:
        image: *
        cap_drop:
            - ALL

The capabilities array comes back as empty in service.go line 121.

Which I think is interpreted the same as not specifying any caps (defaulting to all caps) in both the swarmkit pb file and docker api container.go because it's empty. They can't distinguish between not specifying caps (no caps array) and drop all caps (empty caps array).

A special NONE value may be required.

@contrem a lot of time has passed after I implemented those so I cannot say sure but my supposition is that "ALL" should invalid value for cap_add/cap_drop on Moby side and give error. If it does not work like that then it is most probably bug on Moby.

If there is some real world use case for special NONE capability IMO it should be implemented as separate PR on moby side as this is part of trying get same logic to docker service which have been years available with docker-compose.

I'm surprised after all this time this has still yet to be merged.

The ALL value is handled in https://github.com/moby/moby/blob/master/oci/caps/utils.go#L120

The behavior I expected would be the same as

docker run -it --cap-drop all ollijanatuinen/capsh:

Current: =
Bounding set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

Instead, the result using the previous config with image ollijanatuinen/capsh and docker stack deploy is:

Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

When adding a single cap and dropping all others, it works as expected because the cap array returned is not empty:

version: "3.8"
services:
    test:
        image: ollijanatuinen/capsh
        cap_add:
            - chown
        cap_drop:
            - all

Current: = cap_chown+eip
Bounding set =cap_chown
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

I don't know where the empty cap array issue should be handled, but I do think the cap_drop all handling is unexpected behavior.

I am cheering for you all SO HARD on this one. This is such a crucial feature and will unlock so many use-cases for us. Thank you @olljanat for your work championing this feature and I hope we see this in the next release.

While already 👍 and ❤️ , my inner still want to post this useless comment to show that I (and many others) really hope this feature will be available soon. I will go back to cheer with many 🎉🎉🎉🎉🎉 when it is finally merged.

I can't believe it's still not merged...

I think we are going to have to revert these API changes in the engine and swarmkit since the API does not seem to hold up well. This is based on discussions in the maintainers call last Thursday.

Specifically some of the things mentioned early on in the design review here are problematic.
Namely that the client must specify the full list of caps, meanwhile the client does not know actually what caps are available on the engine host.

moby/moby#41249 makes the neccessary changes to moby's API for correcting cap add/drop support.

@olljanat Do you need some help to finish this PR? 🙂

@akerouanton if you or someone else want take responsibility to finalize this I'm more than happy to give it forward. I did see than PR on moby side was merged but have not found time to investigate what actually is need to be changed here.

I'm working on updating the vendored version of moby in #2659 (opened as draft as it may need local changes). After that it should be possible to implement the changes here to wire that up