feature: capability for both cri manager and container manager

[YaoZengzeng]

Signed-off-by: YaoZengzeng [email protected]

1.Describe what this PR did

With this PR, we could scope the capability of containers.

2.Does this pull request fix one issue?

3.Describe how you did it

4.Describe how to verify it

root@pouch-ubuntu:/home/monster# pouch run busybox:1.26 brctl addbr foobar
brctl: bridge foobar: Operation not permitted
root@pouch-ubuntu:/home/monster# pouch run --cap-add NET_ADMIN busybox:1.26 brctl addbr foobar
root@pouch-ubuntu:/home/monster# 

5.Special notes for reviews

There are some problems with container manager's StartExec method, we couldn't pass the corresponding tests in cri-tools.

I'll fix it ASAP :)

[allencloud]

FAIL: /go/src/github.com/alibaba/pouch/test/cli_create_test.go:170: PouchCreateSuite.TestCreateWithCapability
/go/src/github.com/alibaba/pouch/test/cli_create_test.go:183:
    c.Assert(result.HostConfig.CapAdd, nil)
... Assert(obtained, nil!?, ...):
... Oops.. you've provided a nil checker!

[allencloud]

What kind of this license is it?
It is some kind of different from some usual others.

[codecov-io]

Codecov Report

Merging #680 into master will decrease coverage by 0.04%.
The diff coverage is 0%.

@@            Coverage Diff            @@
##           master    #680      +/-   ##
=========================================
- Coverage   10.01%   9.97%   -0.05%     
=========================================
  Files          92      92              
  Lines        5353    5375      +22     
=========================================
  Hits          536     536              
- Misses       4767    4789      +22     
  Partials       50      50

Impacted Files	Coverage Δ
daemon/mgr/spec.go	0% <ø> (ø)	⬆️
cli/run.go	0% <0%> (ø)	⬆️
daemon/mgr/cri_utils.go	46.95% <0%> (-0.52%)	⬇️
daemon/mgr/spec_linux.go	0% <0%> (ø)	⬆️
cli/create.go	0% <0%> (ø)	⬆️
cli/container.go	25.6% <0%> (-0.32%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4b6bb67...e086274. Read the comment docs.

[YaoZengzeng]

@allencloud updated.

[allencloud]

Could you add this flag in pouch command line as well?
I found that in cli, there is no privileged flag. @YaoZengzeng

[YaoZengzeng]

Actually we could see meta.HostConfig.Privileged in many places associated with security.

I'll use an independent PR to handle it once the security options are complete.

[allencloud]

else if caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Effective, meta.HostConfig.CapAdd, meta.HostConfig.CapDrop); err != nil{
        return err
}

How about this?

[YaoZengzeng]

s.Process.Capabilities.Effective is the default capability list. The function here is used to modify it with Capability add-list and drop-list.

[allencloud]

I said that maybe we can use else if to reduce an ident. 😄

[YaoZengzeng]

Oh! Yes, it is more clear.

[allencloud]

I think in this function, we do not need to always use s.Process.Capabilities. We can use caps := s.Process. Capabilities at the very beginning in the function. Then we can use caps.Effective = caplist very simply. Since Capabilities *LinuxCapabilities is a pointer, then we do not worry about another copy or same address thing. And it will make code more clear. WDYT? @YaoZengzeng

We just wish that the data used to communicate among modules or functions should be minimal, so we could encapsulate date transfer very well.

[YaoZengzeng]

Agree :)

[allencloud]

LGTM generally. One data transferring issue and a privileged flag. If privileged flag is in your plan but in a follow-up, it is totally OK.

[YaoZengzeng]

@allencloud updated.

[allencloud]

re-LGTM