feature: capability for both cri manager and container manager

cli/container.go

@@ -38,6 +38,8 @@ type container struct {
 	sysctls              []string
 	networks             []string
 	securityOpt          []string
+	capAdd               []string
+	capDrop              []string
 	blkioWeight          uint16
 	blkioWeightDevice    WeightDevice
 	blkioDeviceReadBps   ThrottleBpsDevice
@@ -138,6 +140,8 @@ func (c *container) config() (*types.ContainerCreateConfig, error) {
 			Sysctls:       sysctls,
 			SecurityOpt:   c.securityOpt,
 			NetworkMode:   networkMode,
+			CapAdd:        c.capAdd,
+			CapDrop:       c.capDrop,
 		},
 
 		NetworkingConfig: networkingConfig,

cli/create.go

@@ -64,6 +64,8 @@ func (cc *CreateCommand) addFlags() {
 	flagSet.StringSliceVar(&cc.sysctls, "sysctl", nil, "Sysctl options")
 	flagSet.StringSliceVar(&cc.networks, "net", nil, "Set networks to container")
 	flagSet.StringSliceVar(&cc.securityOpt, "security-opt", nil, "Security Options")
+	flagSet.StringSliceVar(&cc.capAdd, "cap-add", nil, "Add Linux capabilities")
+	flagSet.StringSliceVar(&cc.capDrop, "cap-drop", nil, "Drop Linux capabilities")
 	flagSet.Uint16Var(&cc.blkioWeight, "blkio-weight", 0, "Block IO (relative weight), between 10 and 1000, or 0 to disable")
 	flagSet.Var(&cc.blkioWeightDevice, "blkio-weight-device", "Block IO weight (relative device weight)")
 	flagSet.Var(&cc.blkioDeviceReadBps, "device-read-bps", "Limit read rate (bytes per second) from a device")

cli/run.go

@@ -73,6 +73,8 @@ func (rc *RunCommand) addFlags() {
 	flagSet.StringSliceVar(&rc.sysctls, "sysctl", nil, "Sysctl options")
 	flagSet.StringSliceVar(&rc.networks, "net", nil, "Set networks to container")
 	flagSet.StringSliceVar(&rc.securityOpt, "security-opt", nil, "Security Options")
+	flagSet.StringSliceVar(&rc.capAdd, "cap-add", nil, "Add Linux capabilities")
+	flagSet.StringSliceVar(&rc.capDrop, "cap-drop", nil, "Drop Linux capabilities")
 	flagSet.Uint16Var(&rc.blkioWeight, "blkio-weight", 0, "Block IO (relative weight), between 10 and 1000, or 0 to disable")
 	flagSet.Var(&rc.blkioWeightDevice, "blkio-weight-device", "Block IO weight (relative device weight)")
 	flagSet.Var(&rc.blkioDeviceReadBps, "device-read-bps", "Limit read rate (bytes per second) from a device")

daemon/mgr/cri_utils.go

@@ -300,6 +300,12 @@ func modifyHostConfig(sc *runtime.LinuxContainerSecurityContext, hostConfig *api
 
 	// TODO: apply other security options.
 
+	// Apply capability options.
+	if sc.GetCapabilities() != nil {
+		hostConfig.CapAdd = sc.GetCapabilities().GetAddCapabilities()
+		hostConfig.CapDrop = sc.GetCapabilities().GetDropCapabilities()
+	}
+
 	// Apply appArmor options.
 	appArmorSecurityOpts, err := getAppArmorSecurityOpts(sc)
 	if err != nil {

daemon/mgr/spec.go

@@ -53,6 +53,7 @@ var setupFunc = []SetupFunc{
 	// linux-platform-specifc spec
 	setupSysctl,
 	setupAppArmor,
+	setupCapabilities,
 
 	// blkio spec
 	setupBlkio,

daemon/mgr/spec_linux.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"io/ioutil"
 	"os"
+
+	"github.com/docker/docker/daemon/caps"
 )
 
 const (
@@ -55,3 +57,21 @@ func setupAppArmor(ctx context.Context, meta *ContainerMeta, spec *SpecWrapper)
 
 	return nil
 }
+
+func setupCapabilities(ctx context.Context, meta *ContainerMeta, spec *SpecWrapper) error {
+	var caplist []string
+	var err error
+
+	capabilities := spec.s.Process.Capabilities
+	if meta.HostConfig.Privileged {
+		caplist = caps.GetAllCapabilities()
+	} else if caplist, err = caps.TweakCapabilities(capabilities.Effective, meta.HostConfig.CapAdd, meta.HostConfig.CapDrop); err != nil {
+		return err
+	}
+	capabilities.Effective = caplist
+	capabilities.Bounding = caplist
+	capabilities.Permitted = caplist
+	capabilities.Inheritable = caplist
+
+	return nil
+}

test/cli_create_test.go

@@ -166,6 +166,33 @@ func (suite *PouchCreateSuite) TestCreateWithAppArmor(c *check.C) {
 	}
 }
 
+// TestCreateWithCapability tries to test create a container with capability.
+func (suite *PouchCreateSuite) TestCreateWithCapability(c *check.C) {
+	capability := "NET_ADMIN"
+	name := "create-capability"
+
+	res := command.PouchRun("create", "--name", name, "--cap-add", capability, busyboxImage, "brctl", "addbr", "foobar")
+	res.Assert(c, icmd.Success)
+
+	output := command.PouchRun("inspect", name).Stdout()
+
+	result := &types.ContainerJSON{}
+	if err := json.Unmarshal([]byte(output), result); err != nil {
+		c.Errorf("failed to decode inspect output: %v", err)
+	}
+	c.Assert(result.HostConfig.CapAdd, check.NotNil)
+
+	exist := false
+	for _, cap := range result.HostConfig.CapAdd {
+		if cap == capability {
+			exist = true
+		}
+	}
+	if !exist {
+		c.Errorf("failed to set capability")
+	}
+}
+
 // TestCreateEnableLxcfs tries to test create a container with lxcfs.
 func (suite *PouchCreateSuite) TestCreateEnableLxcfs(c *check.C) {
 	name := "create-lxcfs"

test/cli_run_test.go

@@ -261,6 +261,16 @@ func (suite *PouchRunSuite) TestRunWithAppArmor(c *check.C) {
 	command.PouchRun("rm", "-f", name).Assert(c, icmd.Success)
 }
 
+// TestRunWithCapability is to verify run container with capability.
+func (suite *PouchRunSuite) TestRunWithCapability(c *check.C) {
+	capability := "NET_ADMIN"
+	name := "run-capability"
+
+	res := command.PouchRun("run", "--name", name, "--cap-add", capability, busyboxImage, "brctl", "addbr", "foobar")
+	res.Assert(c, icmd.Success)
+	command.PouchRun("rm", "-f", name).Assert(c, icmd.Success)
+}
+
 // TestRunWithBlkioWeight is to verify --specific Blkio Weight when running a container.
 func (suite *PouchRunSuite) TestRunWithBlkioWeight(c *check.C) {
 	name := "test-run-with-blkio-weight"

test/cli_start_test.go

@@ -163,3 +163,13 @@ func (suite *PouchStartSuite) TestStartWithAppArmor(c *check.C) {
 
 	command.PouchRun("stop", name).Assert(c, icmd.Success)
 }
+
+// TestStartWithCapability starts a container with capability.
+func (suite *PouchStartSuite) TestStartWithCapability(c *check.C) {
+	capability := "NET_ADMIN"
+	name := "start-capability"
+
+	res := command.PouchRun("create", "--name", name, "--cap-add", capability, busyboxImage, "brctl", "addbr", "foobar")
+	res.Assert(c, icmd.Success)
+	command.PouchRun("start", name).Assert(c, icmd.Success)
+}