Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: clarify capabilities options for docker driver #16693

Merged
merged 1 commit into from
Mar 28, 2023
Merged

docs: clarify capabilities options for docker driver #16693

merged 1 commit into from
Mar 28, 2023

Conversation

tgross
Copy link
Member

@tgross tgross commented Mar 28, 2023

Closes #16692

The docker driver cannot expand capabilities beyond the default set when the task is a non-root user. Clarify this in the documentation of allow_caps and update the cap_add and cap_drop to match the exec driver, which has more clear language overall.

@tgross
docs: clarify capabilities options for docker driver
3a3374d 
The `docker` driver cannot expand capabilities beyond the default set when the
task is a non-root user. Clarify this in the documentation of `allow_caps` and
update the `cap_add` and `cap_drop` to match the `exec` driver, which has more
clear language overall.
@tgross tgross requested a review from shoenig March 28, 2023 15:55
@tgross tgross added theme/docs Documentation issues and enhancements backport/1.3.x backport to 1.3.x release line backport/1.4.x backport to 1.4.x release line backport/1.5.x backport to 1.5.x release line theme/driver/docker labels Mar 28, 2023
@tgross tgross requested a review from lgfa29 March 28, 2023 16:11
lgfa29
lgfa29 approved these changes Mar 28, 2023
View reviewed changes
Copy link
Contributor

@lgfa29 lgfa29 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to fingerprint the client's capabilities? It seems like this would fail silently so being able to add a constraint when a specific cap_add is needed could be useful.

@tgross
Copy link
Member Author

tgross commented Mar 28, 2023

Would it make sense to fingerprint the client's capabilities? It seems like this would fail silently so being able to add a constraint when a specific cap_add is needed could be useful.

It might. The cap_add is in the task config block that we don't look into server-side. You'd need to manually add the constraint. (See similar issues like #9063 #9551). So right now it fails client-side during task driver start.

@tgross tgross merged commit 43e2541 into main Mar 28, 2023
@tgross tgross deleted the docs-capabilities branch March 28, 2023 17:32
This was referenced Mar 28, 2023
Merged
Merged
Merged
tgross added a commit that referenced this pull request Mar 28, 2023
@tgross
docs: clarify capabilities options for docker driver (#16693)
22a360c 
The `docker` driver cannot expand capabilities beyond the default set when the
task is a non-root user. Clarify this in the documentation of `allow_caps` and
update the `cap_add` and `cap_drop` to match the `exec` driver, which has more
clear language overall.
tgross added a commit that referenced this pull request Mar 28, 2023
@tgross
docs: clarify capabilities options for docker driver (#16693)
de880f7 
The `docker` driver cannot expand capabilities beyond the default set when the
task is a non-root user. Clarify this in the documentation of `allow_caps` and
update the `cap_add` and `cap_drop` to match the `exec` driver, which has more
clear language overall.
tgross added a commit that referenced this pull request Mar 28, 2023
@hc-github-team-nomad-core @tgross
docs: clarify capabilities options for docker driver (#16693) (#16699)
4fad037 
The `docker` driver cannot expand capabilities beyond the default set when the
task is a non-root user. Clarify this in the documentation of `allow_caps` and
update the `cap_add` and `cap_drop` to match the `exec` driver, which has more
clear language overall.

Co-authored-by: Tim Gross <[email protected]>
tgross added a commit that referenced this pull request Mar 28, 2023
@hc-github-team-nomad-core @tgross
docs: clarify capabilities options for docker driver (#16693) (#16700)
528cee4 
The `docker` driver cannot expand capabilities beyond the default set when the
task is a non-root user. Clarify this in the documentation of `allow_caps` and
update the `cap_add` and `cap_drop` to match the `exec` driver, which has more
clear language overall.

Co-authored-by: Tim Gross <[email protected]>
tgross added a commit that referenced this pull request Apr 28, 2023
@tgross
docs: clarify capabilities options for docker driver (#16693)
06513e7 
The `docker` driver cannot expand capabilities beyond the default set when the
task is a non-root user. Clarify this in the documentation of `allow_caps` and
update the `cap_add` and `cap_drop` to match the `exec` driver, which has more
clear language overall.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lgfa29 lgfa29 lgfa29 approved these changes

@shoenig shoenig Awaiting requested review from shoenig

Assignees
No one assigned
Labels
backport/1.3.x backport to 1.3.x release line backport/1.4.x backport to 1.4.x release line backport/1.5.x backport to 1.5.x release line theme/docs Documentation issues and enhancements theme/driver/docker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

docker driver allow_caps and cap_add don't work as documented (fails closed)
2 participants
@tgross @lgfa29