[carry 2663] Add capabilities support to stack/service commands

[thaJeztah]

carries #2663

closes #1940
closes #2199
closes #2663

Fixes moby/moby#25885

- What I did

This PR supersedes #1940 and #2199. I removed the support of privileged option from the original PR as I believe privileged containers involve more than just having the complete set of capabilities (eg. no user namespace, the unconfined AppArmor profile is used, etc...).

1. docker stack deploy now supports cap_add and cap_drop options ;
2. docker service create|update now support --cap-add and --cap-drop flags. For the update command and unlike most of other options, those flags don't have -add & -rm variants as this would make a poor UX (eg. --cap-add-add & --cap-drop-rm). Instead, updateCapabilities takes care of stripping caps provided to --cap-add from CapabilityDrop (and vice versa) ;
3. docker service inspect --pretty displays the list of added caps and dropped caps ;

- How I did it

1. The service converter transforming compose types into API types has been updated to add capabilities to ServiceSpec;
2. A new function with the logic described above and named updateCapabilities() has been introduced and is called by updateService ;
3. The pretty formatter has been updated to include added and dropped caps ;

- How to verify it

docker stack deploy

$ cat docker-compose.yaml
version: "3.7"
services:
  test:
    image: ollijanatuinen/capsh
    cap_add:
      - NET_ADMIN
    cap_drop:
      - CAP_MKNOD
$ build/docker stack deploy --compose-file docker-compose.yaml t1
$ docker inspect t1_test.1.m0jmdufuo93fotyyrhm00xx16
        "CapAdd": [
            "CAP_NET_ADMIN"
        ],
        "CapDrop": [
            "CAP_MKNOD"
        ],

docker service create

$ build/docker service create --name test --cap-add NET_ADMIN --cap-drop CAP_MKNOD ollijanatuinen/capsh
$ docker inspect test.1.li7llrgyp8v4mfvo5tvimhzxt
        "CapAdd": [
            "CAP_NET_ADMIN"
        ],
        "CapDrop": [
            "CAP_MKNOD"
        ],

docker service update

$ build/docker service update --cap-add CAP_MKNOD t1_test
$ docker inspect t1_test.1.92sd9omniksbenuv6wm17ft78
        "CapAdd": [
            "CAP_NET_ADMIN",
            "CAP_MKNOD"
        ],
        "CapDrop": null,

$ build/docker service update --cap-drop CAP_MKNOD --cap-drop NET_ADMIN t1_test
        "CapAdd": null,
        "CapDrop": [
            "CAP_MKNOD",
            "CAP_NET_ADMIN"
        ],

docker service inspect

$ build/docker service inspect t1_test
        "CapabilityAdd": [
            "CAP_NET_ADMIN"
        ],
        "CapabilityDrop": [
            "CAP_MKNOD"
        ]
$ build/docker service inspect --pretty t1_test
Capabilities:
 Add: CAP_NET_ADMIN
 Drop: CAP_MKNOD

- Description for the changelog

Add cap_add and cap_drop support to docker stack deploy and --cap-add and --cap-drop flags to docker service create|update.

- A picture of a cute animal (not mandatory but encouraged)

[codecov-commenter]

Codecov Report

Merging #2687 into master will increase coverage by 0.11%.
The diff coverage is 88.23%.

@@            Coverage Diff             @@
##           master    #2687      +/-   ##
==========================================
+ Coverage   58.42%   58.54%   +0.11%     
==========================================
  Files         295      296       +1     
  Lines       21201    21286      +85     
==========================================
+ Hits        12387    12462      +75     
- Misses       7906     7915       +9     
- Partials      908      909       +1     

[thaJeztah]

Ok, so I'm a bit in doubt what would be more logical; when updating a service that had previous cap-add/cap-drops, should we do:

A. Update both "previous" and "new" state at once

Given the following service;

CapDrop	CapAdd
CAP_SOME_CAP

When updating the service, and applying --cap-add CAP_SOME_CAP, the previously dropped capability is removed, and CAP_SOME_CAP is added:

CapDrop	CapAdd
	CAP_SOME_CAP

Downside of this is that there's no option to reset the cap-add/cap-drop through docker service update (note that this would be possible through docker stack up as it's "declarative", and doesn't take the previous state into account).

B. Update as a "tri-state" (for better words)

Given the following service;

CapDrop	CapAdd
CAP_SOME_CAP

When updating the service, and applying --cap-add CAP_SOME_CAP, the previously dropped capability is removed:

CapDrop	CapAdd

When updating the service a second time, applying --cap-add CAP_SOME_CAP, capability is now added:

CapDrop	CapAdd
	CAP_SOME_CAP

So upside is that it's possible to "reset" previous capabilities without adding new ones. Downside is that it requires multiple updates if that is the desired result (given, probably a rare condition)

C. Introduce a special "RESET" value

Given the following service;

CapDrop	CapAdd
CAP_SOME_CAP

When updating the service, and applying --cap-drop RESET:

CapDrop	CapAdd

When updating the service, and applying --cap-drop RESET, combined with --cap-add CAP_SOME_CAP and --cap-drop CAP_SOME_OTHER_CAP:

CapDrop	CapAdd
CAP_FOO_CAP	CAP_SOME_CAP

D. Combine B + C

Apply the diff to the existing list of capabilities first, but also allow using RESET to "start from scratch"

[thaJeztah]

As to my comment above, I added two commits that implement B and C

[thaJeztah]

I noticed that our completion scripts use the capabilities without the CAP_ prefix; I'm on the fence what we should use as "normalised" format: with, or without the CAP_. From a UX perspective, possibly without is more friendly (less to type, and less characters to type to use auto-completion)

@tiborvass @silvin-lubecki WDYT?

[thaJeztah]

Perhaps it doesn't make a big difference (as the values entered by the user will be normalised anyway, so the only difference will be in what's shown in docker service inspect. Looks like that's currently consistent with (e.g.) what's documented for docker plugin capabilities.

[silvin-lubecki]

I'm totally fine with values without the CAP_ 👍

[albers]

When completing signals, we offer both SIGXXX and XXX.
So for consistency, we could switch to supporting both variants here as well.
I'll create a PR for that.

[albers]

Created #2706

[silvin-lubecki]

typo: the/a list

[silvin-lubecki]

nit: should we also test ALL in cap-add AND cap-drop?

[silvin-lubecki]

nit: maybe add explicit empty expectedDrop?

[thaJeztah]

Yeah, guess it makes it slightly more understandable; I'll add explicit expectedDrop / expectedAdd lines

[silvin-lubecki]

nit: test also with "RESET", "ALL" ?

[thaJeztah]

even if I'm a bit on the fence with the UX (RESET looks weird to me, but I can't find a better way), so let's move with that 👍

I can move the last commit to a separate PR; I don't think it's critical to have it, and we can add it after that, so if it requires more discussion, we can do so separately

[thaJeztah]

@silvin-lubecki @albers updated this one, and moved the RESET commit to #2709

[silvin-lubecki]

LGTM

[thaJeztah]

@tiborvass @cpuguy83 PTAL

[cpuguy83]

LGTM

[kaysond]

I've been waiting for this! Is it going to be in 19.03 or a newer version? Any idea when it will get released?

[thaJeztah]

this will be in the upcoming 20.xx release

[robertnisipeanu]

Isn't this in the master branch? I tried installing docker-ce docker-ce-cli and containerd.io from the nightly build, however I still get "Ignoring unsupported options: cap_add"

[thaJeztah]

I think there's an issue with the nightly builds currently not being updated; this should be in the docker v20.10 release candidates in the testing channel (GA should be released soon)

[liangyuanpeng]

Look forward it!

[georgmay]

I'm getting the same "Ignoring unsupported options: cap_add" on 20.10

[trajano]

It does not work on Docker Desktop for Windows 3.0. I tried

  haveged:
    image: hortonworks/haveged:1.1.0
    deploy:
      restart_policy:
        max_attempts: 3
    cap_add:
      - SYS_ADMIN
      - MKNOD
      - DAC_OVERRIDE
      - NET_ADMIN
      - SYS_MODULE
      - SYS_PACCT

I don't get the data in

docker service inspect api_haveged --pretty

ID:             bcjakjq6i1xfuwdw729eix5sh
Name:           api_haveged
Labels:
 com.docker.stack.image=hortonworks/haveged:1.1.0
 com.docker.stack.namespace=api
Service Mode:   Replicated
 Replicas:      1
Placement:
UpdateConfig:
 Parallelism:   1
 On failure:    pause
 Monitoring Period: 5s
 Max failure ratio: 0
 Update order:      stop-first
RollbackConfig:
 Parallelism:   1
 On failure:    pause
 Monitoring Period: 5s
 Max failure ratio: 0
 Rollback order:    stop-first
ContainerSpec:
 Image:         hortonworks/haveged:1.1.0
Resources:
Networks: api_default
Endpoint Mode:  vip

This is in regards to https://stackoverflow.com/questions/65241151/running-haveged-in-docker-swarm