Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CLI flags for Swarm Service seccomp, AppArmor, and no-new-privileges #5698

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Add CLI flags for Swarm Service seccomp, AppArmor, and no-new-privileges #5698

wants to merge 2 commits into from
+213 −7

Conversation

dperny
Copy link
Contributor

@dperny dperny commented Dec 16, 2024

- What I did

Add 3 flags to the docker service create and docker service update CLI commands to support the security options in moby/moby#46386.

  • --apparmor allows setting AppArmor to default or disabled.
  • --no-new-privileges does what it says on the tin
  • --seccomp allows either default, unconfined, or a file name of a JSON file with a custom seccomp profile.

- How I did it

Added CLI flags in the standard way. Mostly boilerplate.

- How to verify it

Added tests for the flags.

- Description for the changelog

* Added `--apparmor` flag to `docker service create` and `docker service update`. Allows configuring AppArmor as `default` or `disabled`.
* Added `--no-new-privileges` flag to `docker service create` and `docker service update`.
* Added `--seccomp` flag to `docker service create` and `docker service update`. Allows setting seccomp to `default`, `unconfined`, or a custom profile.

@codecov-commenter
Copy link

codecov-commenter commented Dec 16, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 84.00000% with 12 lines in your changes missing coverage. Please review.

Project coverage is 59.59%. Comparing base (91d097e) to head (b10de33).
Report is 12 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5698      +/-   ##
==========================================
+ Coverage   59.51%   59.59%   +0.07%     
==========================================
  Files         346      346              
  Lines       29379    29451      +72     
==========================================
+ Hits        17486    17551      +65     
- Misses      10923    10928       +5     
- Partials      970      972       +2

thaJeztah
thaJeztah reviewed Dec 16, 2024
View reviewed changes
cli/command/service/opts_test.go Outdated
Comment on lines 376 to 379
const testJson = `{
"json": "you betcha"
}
`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the linter complains on this one;

68.89 cli/command/service/opts_test.go:376:7: ST1003: const testJson should be testJSON (stylecheck)
68.89 const testJson = `{
68.89       ^

Copy link
Member

@thaJeztah thaJeztah Dec 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this const is only used in the test below, so perhaps consider defining the const inside that test. Give that it's a very small JSON, perhaps put it on one line?

const testJSON = `{"json": "you betcha"}`

Oh; I guess that also means changing the file to be the same , well 😂

@dperny dperny force-pushed the add-seccomp-apparmor-swarm branch from 7ce478b to c1cec5b Compare December 17, 2024 13:23
@dperny
add cli support for swarm security opts
f1bee6e 
Adds CLI flags for setting some security options on services:

* --seccomp to set seccomp mode or custom profile
* --apparmor to default or disable apparmor
* --no-new-privileges, same as with containers

Signed-off-by: Drew Erny <derny@mirantis.com>
@dperny
WIP: Add seccomp/apparmor to docker stack
b10de33 
DO NOT MERGE. Also I'll probably forget to redo this commit message even
after this is merge ready but still DO NOT MERGE until I fix it.

Adds seccomp, apparmor, and no-new-privileges flags to docker compose
for docker stack command

Signed-off-by: Drew Erny <derny@mirantis.com>
@dperny dperny force-pushed the add-seccomp-apparmor-swarm branch from c1cec5b to b10de33 Compare December 17, 2024 13:27
@dperny
Copy link
Contributor Author

dperny commented Dec 17, 2024
edited
Loading

What is done:

  • All CLI flags
  • Compose file parsing

What needs to be done still:

  • Error messages for bad flag values in CLI
  • Evaluate possible problems with reading seccomp JSON file with os.ReadFile
  • Compose type conversion (Compose -> Docker API types)
  • Come up with way to ingest seccomp JSON file with Compose

What I have up now is ready for review, even in its incomplete state, but not ready for merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thaJeztah thaJeztah thaJeztah left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dperny @codecov-commenter @thaJeztah