Implement cap_add, cap_drop
Assiging individual capabilities is preferable to making containers privileged, so lets make that possible. Change-Id: I244e8e0543d92f4cdf9dbb085fff6e1cbb09a3d0
This commit is contained in:
parent
48744077f3
commit
274cca0040
|
@ -73,8 +73,10 @@ class ComposeV1Builder(base.BaseBuilder):
|
|||
'stop_grace_period', '--stop-timeout',
|
||||
self.duration)
|
||||
|
||||
self.list_arg(cconfig, cmd, 'cap_add', '--cap-add')
|
||||
self.list_arg(cconfig, cmd, 'cap_drop', '--cap-drop')
|
||||
|
||||
# TODO(sbaker): add missing compose v1 properties:
|
||||
# cap_add, cap_drop
|
||||
# cgroup_parent
|
||||
# devices
|
||||
# dns, dns_search
|
||||
|
|
|
@ -62,5 +62,8 @@ class PodmanBuilder(base.BaseBuilder):
|
|||
'stop_grace_period', '--stop-timeout',
|
||||
self.duration)
|
||||
|
||||
self.list_arg(cconfig, cmd, 'cap_add', '--cap-add')
|
||||
self.list_arg(cconfig, cmd, 'cap_drop', '--cap-drop')
|
||||
|
||||
cmd.append(cconfig.get('image', ''))
|
||||
cmd.extend(self.command_argument(cconfig.get('command')))
|
||||
|
|
|
@ -457,7 +457,9 @@ three-12345678 three''', '', 0),
|
|||
'ulimit': ['nofile=1024', 'nproc=1024'],
|
||||
'volumes': ['/foo:/foo:rw', '/bar:/bar:ro'],
|
||||
'volumes_from': ['two', 'three'],
|
||||
'group_add': ['docker', 'zuul']
|
||||
'group_add': ['docker', 'zuul'],
|
||||
'cap_add': ['SYS_ADMIN', 'SETUID'],
|
||||
'cap_drop': ['NET_RAW']
|
||||
}
|
||||
}
|
||||
builder = compose1.ComposeV1Builder('foo', config, None)
|
||||
|
@ -473,6 +475,7 @@ three-12345678 three''', '', 0),
|
|||
'--group-add=docker', '--group-add=zuul',
|
||||
'--volume=/foo:/foo:rw', '--volume=/bar:/bar:ro',
|
||||
'--volumes-from=two', '--volumes-from=three',
|
||||
'--cap-add=SYS_ADMIN', '--cap-add=SETUID', '--cap-drop=NET_RAW',
|
||||
'centos:7', 'ls', '-l', '/foo'],
|
||||
cmd
|
||||
)
|
||||
|
|
|
@ -37,7 +37,9 @@ class TestComposeV1Builder(tbb.TestBaseBuilder):
|
|||
'env_file': '/tmp/foo.env',
|
||||
'log_tag': '{{.ImageName}}/{{.Name}}/{{.ID}}',
|
||||
'cpu_shares': 600,
|
||||
'security_opt': 'label:disable'
|
||||
'security_opt': 'label:disable',
|
||||
'cap_add': ['SYS_ADMIN', 'SETUID'],
|
||||
'cap_drop': ['NET_RAW']
|
||||
}
|
||||
}
|
||||
builder = compose1.ComposeV1Builder('foo', config, None)
|
||||
|
@ -53,6 +55,8 @@ class TestComposeV1Builder(tbb.TestBaseBuilder):
|
|||
'--privileged=true', '--restart=always', '--user=bar',
|
||||
'--log-opt=tag={{.ImageName}}/{{.Name}}/{{.ID}}',
|
||||
'--cpu-shares=600',
|
||||
'--security-opt=label:disable', 'centos:7'],
|
||||
'--security-opt=label:disable',
|
||||
'--cap-add=SYS_ADMIN', '--cap-add=SETUID', '--cap-drop=NET_RAW',
|
||||
'centos:7'],
|
||||
cmd
|
||||
)
|
||||
|
|
|
@ -31,7 +31,9 @@ class TestPodmanBuilder(base.TestBaseBuilder):
|
|||
'env_file': '/tmp/foo.env',
|
||||
'log_tag': '{{.ImageName}}/{{.Name}}/{{.ID}}',
|
||||
'cpu_shares': 600,
|
||||
'security_opt': 'label:disable'
|
||||
'security_opt': 'label:disable',
|
||||
'cap_add': ['SYS_ADMIN', 'SETUID'],
|
||||
'cap_drop': ['NET_RAW']
|
||||
}
|
||||
}
|
||||
builder = podman.PodmanBuilder('foo', config, None)
|
||||
|
@ -45,6 +47,8 @@ class TestPodmanBuilder(base.TestBaseBuilder):
|
|||
'--uts=host', '--privileged=true', '--user=bar',
|
||||
'--log-opt=tag={{.ImageName}}/{{.Name}}/{{.ID}}',
|
||||
'--cpu-shares=600',
|
||||
'--security-opt=label:disable', 'centos:7'],
|
||||
'--security-opt=label:disable',
|
||||
'--cap-add=SYS_ADMIN', '--cap-add=SETUID', '--cap-drop=NET_RAW',
|
||||
'centos:7'],
|
||||
cmd
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue