Option to set kernel capabilities on service update

crazy-max · Jul 17, 2022 · decfd1b · decfd1b
1 parent d3b448a
commit decfd1b
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 2 deletions.
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -34,7 +34,7 @@ jobs:
           echo ::set-output name=build_tag::swarm-cronjob:local
           echo ::set-output name=service_name::swarm-cronjob
           echo ::set-output name=running_timeout::120
-          echo ::set-output name=running_log_check::Number of cronjob tasks: 7
+          echo ::set-output name=running_log_check::Number of cronjob tasks: 8
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
@@ -61,6 +61,7 @@ jobs:
           docker stack deploy global -c test/global.yml
           docker stack deploy more_replicas -c test/more_replicas.yml
           docker stack deploy query -c test/query.yml
+          docker stack deploy cap -c test/cap.yml
       -
         name: Create service
         run: |

diff --git a/docs/usage/docker-labels.md b/docs/usage/docker-labels.md
@@ -10,3 +10,4 @@ You can configure your service using swarm-cronjob through Docker labels:
 | `swarm.cronjob.replicas`       | `1`     | Number of replicas to set on schedule in `replicated` mode.                                                        |
 | `swarm.cronjob.registry-auth`  | `false` | Send registry authentication details to Swarm agents.                                                              |
 | `swarm.cronjob.query-registry` |         | Indicates whether the service update requires contacting a registry                                                |
+| `swarm.cronjob.capabilities`   |         | Comma separated list of kernel capabilities to add to the default set when service is updated                      |
diff --git a/internal/app/app.go b/internal/app/app.go
@@ -3,14 +3,15 @@ package app
 import (
 	"context"
 	"strconv"
+	"strings"
 
 	"github.com/crazy-max/swarm-cronjob/internal/docker"
 	"github.com/crazy-max/swarm-cronjob/internal/model"
 	"github.com/crazy-max/swarm-cronjob/internal/worker"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/mitchellh/mapstructure"
-	"github.com/robfig/cron/v3"
+	cron "github.com/robfig/cron/v3"
 	"github.com/rs/zerolog/log"
 )
 
@@ -157,6 +158,8 @@ func (sc *SwarmCronjob) crudJob(serviceName string) (bool, error) {
 				log.Error().Str("service", service.Name).Err(err).Msgf("Cannot parse %s value of label %s", labelValue, labelKey)
 			}
 			wc.Job.QueryRegistry = &queryRegistry
+		case "swarm.cronjob.capabilities":
+			wc.Job.Capabilities = strings.Split(labelValue, ",")
 		case "swarm.cronjob.scaledown":
 			if labelValue == "true" {
 				log.Debug().Str("service", service.Name).Msg("Scale down detected. Skipping cronjob")

diff --git a/internal/model/worker.go b/internal/model/worker.go
@@ -8,5 +8,6 @@ type Job struct {
 	SkipRunning   bool
 	RegistryAuth  bool
 	QueryRegistry *bool
+	Capabilities  []string
 	Replicas      uint64
 }
diff --git a/internal/worker/worker.go b/internal/worker/worker.go
@@ -66,6 +66,9 @@ func (c *Client) Run() {
 	// Set ForceUpdate with Version to ensure update
 	serviceUp.Spec.TaskTemplate.ForceUpdate = serviceUp.Version.Index
 
+	// Add capabilities
+	serviceUp.Spec.TaskTemplate.ContainerSpec.CapabilityAdd = c.Job.Capabilities
+
 	// Update options
 	updateOpts := types.ServiceUpdateOptions{}
 	if c.Job.RegistryAuth {

diff --git a/test/cap.yml b/test/cap.yml
@@ -0,0 +1,16 @@
+version: "3.8"
+
+services:
+  test:
+    image: alpine:edge
+    command: >
+      /bin/sh -c "apk add libcap-utils && capsh --print | grep Current: | cut -d' ' -f2"
+    deploy:
+      replicas: 0
+      labels:
+        - "swarm.cronjob.enable=true"
+        - "swarm.cronjob.schedule=*/5 * * * * *"
+        - "swarm.cronjob.skip-running=true"
+        - "swarm.cronjob.capabilities=NET_ADMIN"
+    cap_add:
+      - NET_ADMIN