Add an option to add and drop capabilities in the Docker driver

client/driver/docker.go

@@ -22,6 +22,7 @@ import (
 	"github.com/docker/docker/cli/config/configfile"
 	"github.com/docker/docker/reference"
 	"github.com/docker/docker/registry"
+	"github.com/moby/moby/daemon/caps"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/go-plugin"
@@ -99,6 +100,9 @@ const (
 	dockerImageRemoveDelayConfigOption  = "docker.cleanup.image.delay"
 	dockerImageRemoveDelayConfigDefault = 3 * time.Minute
 
+	dockerCapsWhitelistConfigOption  = "docker.caps.whitelist"
+	dockerCapsWhitelistConfigDefault = dockerBasicCaps
+
 	// dockerTimeout is the length of time a request can be outstanding before
 	// it is timed out.
 	dockerTimeout = 5 * time.Minute
@@ -109,6 +113,9 @@ const (
 	// dockerAuthHelperPrefix is the prefix to attach to the credential helper
 	// and should be found in the $PATH. Example: ${prefix-}${helper-name}
 	dockerAuthHelperPrefix = "docker-credential-"
+
+	dockerBasicCaps = "CHOWN,DAC_OVERRIDE,FSETID,FOWNER,MKNOD," +
+		"NET_RAW,SETGID,SETUID,SETFCAP,SETPCAP,NET_BIND_SERVICE,SYS_CHROOT,KILL,AUDIT_WRITE"
 )
 
 type DockerDriver struct {
@@ -202,6 +209,8 @@ type DockerDriverConfig struct {
 	MacAddress       string              `mapstructure:"mac_address"`        // Pin mac address to container
 	SecurityOpt      []string            `mapstructure:"security_opt"`       // Flags to pass directly to security-opt
 	Devices          []DockerDevice      `mapstructure:"devices"`            // To allow mounting USB or other serial control devices
+	CapAdd           []string            `mapstructure:"cap_add"`            // Flags to pass directly to cap-add
+	CapDrop          []string            `mapstructure:"cap_drop"`           // Flags to pass directly to cap-drop
 }
 
 func sliceMergeUlimit(ulimitsRaw map[string]string) ([]docker.ULimit, error) {
@@ -304,6 +313,8 @@ func NewDockerDriverConfig(task *structs.Task, env *env.TaskEnv) (*DockerDriverC
 	dconf.ExtraHosts = env.ParseAndReplace(dconf.ExtraHosts)
 	dconf.MacAddress = env.ReplaceEnv(dconf.MacAddress)
 	dconf.SecurityOpt = env.ParseAndReplace(dconf.SecurityOpt)
+	dconf.CapAdd = env.ParseAndReplace(dconf.CapAdd)
+	dconf.CapDrop = env.ParseAndReplace(dconf.CapDrop)
 
 	for _, m := range dconf.SysctlRaw {
 		for k, v := range m {
@@ -644,6 +655,12 @@ func (d *DockerDriver) Validate(config map[string]interface{}) error {
 			"devices": {
 				Type: fields.TypeArray,
 			},
+			"cap_add": {
+				Type: fields.TypeArray,
+			},
+			"cap_drop": {
+				Type: fields.TypeArray,
+			},
 		},
 	}
 
@@ -1115,6 +1132,32 @@ func (d *DockerDriver) createContainerConfig(ctx *ExecContext, task *structs.Tas
 	}
 	hostConfig.Privileged = driverConfig.Privileged
 
+	// set capabilities
+	hostCapsWhitelist := d.config.ReadDefault(dockerCapsWhitelistConfigOption, dockerCapsWhitelistConfigDefault)
+	hostCapsWhitelist = strings.ToLower(hostCapsWhitelist)
+	if !strings.Contains(hostCapsWhitelist, "all") {
+		effectiveCaps, err := caps.TweakCapabilities(
+			strings.Split(dockerBasicCaps, ","),
+			driverConfig.CapAdd,
+			driverConfig.CapDrop,
+		)
+		if err != nil {
+			return c, err
+		}
+		var missingCaps []string
+		for _, cap := range effectiveCaps {
+			cap = strings.ToLower(cap[len("CAP_"):])
+			if !strings.Contains(hostCapsWhitelist, cap) {
+				missingCaps = append(missingCaps, cap)
+			}
+		}
+		if len(missingCaps) > 0 {
+			return c, fmt.Errorf("Docker driver doesn't have the following caps whitelisted on this Nomad agent: %s", missingCaps)
+		}
+	}
+	hostConfig.CapAdd = driverConfig.CapAdd
+	hostConfig.CapDrop = driverConfig.CapDrop
+
 	// set SHM size
 	if driverConfig.ShmSize != 0 {
 		hostConfig.ShmSize = driverConfig.ShmSize

client/driver/docker_test.go

@@ -1048,6 +1048,37 @@ func TestDockerDriver_SecurityOpt(t *testing.T) {
 	}
 }
 
+func TestDockerDriver_Capabilities(t *testing.T) {
+	if !tu.IsTravis() {
+		t.Parallel()
+	}
+	if !testutil.DockerIsConnected(t) {
+		t.Skip("Docker not connected")
+	}
+
+	task, _, _ := dockerTask(t)
+	task.Config["cap_add"] = []string{"ALL"}
+	task.Config["cap_drop"] = []string{"MKNOD", "NET_ADMIN"}
+
+	client, handle, cleanup := dockerSetup(t, task)
+	defer cleanup()
+
+	waitForExist(t, client, handle)
+
+	container, err := client.InspectContainer(handle.ContainerID())
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if !reflect.DeepEqual(task.Config["cap_add"], container.HostConfig.CapAdd) {
+		t.Errorf("CapAdd doesn't match.\nExpected:\n%s\nGot:\n%s\n", task.Config["cap_add"], container.HostConfig.CapAdd)
+	}
+
+	if !reflect.DeepEqual(task.Config["cap_drop"], container.HostConfig.CapDrop) {
+		t.Errorf("CapDrop doesn't match.\nExpected:\n%s\nGot:\n%s\n", task.Config["cap_drop"], container.HostConfig.CapDrop)
+	}
+}
+
 func TestDockerDriver_DNS(t *testing.T) {
 	if !tu.IsTravis() {
 		t.Parallel()

website/source/docs/drivers/docker.html.md

@@ -324,6 +324,32 @@ The `docker` driver supports the following configuration in the job spec.  Only
     }
     ```
 
+* `cap_add` - (Optional) A list of string flags to pass directly to
+  [`--cap-add`](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities).
+  For example:
+
+
+    ```hcl
+    config {
+      cap_add = [
+        "SYS_TIME",
+      ]
+    }
+    ```
+
+* `cap_drop` - (Optional) A list of string flags to pass directly to
+  [`--cap-drop`](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities).
+  For example:
+
+
+    ```hcl
+    config {
+      cap_drop = [
+        "MKNOD",
+      ]
+    }
+    ```
+
 ### Container Name
 
 Nomad creates a container after pulling an image. Containers are named