Merge pull request #623 from TFenby/capabilities

Add capability add/drop introduced in Docker 1.2
2014-12-08 21:24:02 +00:00 · 2014-12-08 21:24:02 +00:00 · 9a04ae0ddf
parent 429a3feabc 5c58180538
commit 9a04ae0ddf
3 changed files with 31 additions and 3 deletions
--- a/docs/yml.md
+++ b/docs/yml.md
@ -142,6 +142,20 @@ dns:
  - 9.9.9.9
 ```

+### cap_add, cap_drop
+
+Add or drop container capabilities.
+See `man 7 capabilities` for a full list.
+
+```
+cap_add:
+  - ALL
+
+cap_drop:
+  - NET_ADMIN
+  - SYS_ADMIN
+```
+
 ### working\_dir, entrypoint, user, hostname, domainname, mem\_limit, privileged, restart

 Each of these is a single value, analogous to its [docker run](https://docs.docker.com/reference/run/) counterpart.
--- a/fig/service.py
+++ b/fig/service.py
@ -15,7 +15,7 @@ from .progress_stream import stream_output, StreamOutputError
 log = logging.getLogger(__name__)


-DOCKER_CONFIG_KEYS = ['image', 'command', 'hostname', 'domainname', 'user', 'detach', 'stdin_open', 'tty', 'mem_limit', 'ports', 'environment', 'dns', 'volumes', 'entrypoint', 'privileged', 'volumes_from', 'net', 'working_dir', 'restart']
+DOCKER_CONFIG_KEYS = ['image', 'command', 'hostname', 'domainname', 'user', 'detach', 'stdin_open', 'tty', 'mem_limit', 'ports', 'environment', 'dns', 'volumes', 'entrypoint', 'privileged', 'volumes_from', 'net', 'working_dir', 'restart', 'cap_add', 'cap_drop']
 DOCKER_CONFIG_HINTS = {
    'link'      : 'links',
    'port'      : 'ports',
@ -261,6 +261,8 @@ class Service(object):
        privileged = options.get('privileged', False)
        net = options.get('net', 'bridge')
        dns = options.get('dns', None)
+        cap_add = options.get('cap_add', None)
+        cap_drop = options.get('cap_drop', None)

        restart = parse_restart_spec(options.get('restart', None))

@ -272,7 +274,9 @@ class Service(object):
            privileged=privileged,
            network_mode=net,
            dns=dns,
-            restart_policy=restart
+            restart_policy=restart,
+            cap_add=cap_add,
+            cap_drop=cap_drop,
        )
        return container

@ -379,7 +383,7 @@ class Service(object):
            container_options['image'] = self._build_tag_name()

        # Delete options which are only used when starting
-        for key in ['privileged', 'net', 'dns', 'restart']:
+        for key in ['privileged', 'net', 'dns', 'restart', 'cap_add', 'cap_drop']:
            if key in container_options:
                del container_options[key]

--- a/tests/integration/service_test.py
+++ b/tests/integration/service_test.py
@ -376,6 +376,16 @@ class ServiceTest(DockerClientTestCase):
        self.assertEqual(container['HostConfig']['RestartPolicy']['Name'], 'on-failure')
        self.assertEqual(container['HostConfig']['RestartPolicy']['MaximumRetryCount'], 5)

+    def test_cap_add_list(self):
+        service = self.create_service('web', cap_add=['SYS_ADMIN', 'NET_ADMIN'])
+        container = service.start_container().inspect()
+        self.assertEqual(container['HostConfig']['CapAdd'], ['SYS_ADMIN', 'NET_ADMIN'])
+
+    def test_cap_drop_list(self):
+        service = self.create_service('web', cap_drop=['SYS_ADMIN', 'NET_ADMIN'])
+        container = service.start_container().inspect()
+        self.assertEqual(container['HostConfig']['CapDrop'], ['SYS_ADMIN', 'NET_ADMIN'])
+
    def test_working_dir_param(self):
        service = self.create_service('container', working_dir='/working/dir/sample')
        container = service.create_container().inspect()