diff --git a/php/containers-schema.json b/php/containers-schema.json index 40dcc16db17f..538593fd81b4 100644 --- a/php/containers-schema.json +++ b/php/containers-schema.json @@ -21,6 +21,12 @@ "type": "string" } }, + "cap_add": { + "type": "array", + "items": { + "type": "string" + } + }, "depends_on": { "type": "array", "items": { diff --git a/php/containers.json b/php/containers.json index a02946560904..908ef710bf44 100644 --- a/php/containers.json +++ b/php/containers.json @@ -318,6 +318,9 @@ ], "devices": [ "/dev/fuse" + ], + "cap_add": [ + "SYS_ADMIN" ] }, { @@ -411,7 +414,10 @@ "environment": [ "TZ=%TIMEZONE%" ], - "restart": "unless-stopped" + "restart": "unless-stopped", + "cap_add": [ + "CAP_SYS_NICE" + ] }, { "container_name": "nextcloud-aio-fulltextsearch", diff --git a/php/src/Container/Container.php b/php/src/Container/Container.php index c7ff5cf79559..e30e86749b49 100644 --- a/php/src/Container/Container.php +++ b/php/src/Container/Container.php @@ -23,6 +23,8 @@ class Container { private array $secrets; /** @var string[] */ private array $devices; + /** @var string[] */ + private array $capAdd; private DockerActionManager $dockerActionManager; public function __construct( @@ -38,6 +40,7 @@ public function __construct( array $dependsOn, array $secrets, array $devices, + array $capAdd, DockerActionManager $dockerActionManager ) { $this->identifier = $identifier; @@ -52,6 +55,7 @@ public function __construct( $this->dependsOn = $dependsOn; $this->secrets = $secrets; $this->devices = $devices; + $this->capAdd = $capAdd; $this->dockerActionManager = $dockerActionManager; } @@ -83,6 +87,10 @@ public function GetDevices() : array { return $this->devices; } + public function GetCapAdds() : array { + return $this->capAdd; + } + public function GetPorts() : ContainerPorts { return $this->ports; } diff --git a/php/src/ContainerDefinitionFetcher.php b/php/src/ContainerDefinitionFetcher.php index 4789bbfa044a..b903169e49a8 100644 --- a/php/src/ContainerDefinitionFetcher.php +++ b/php/src/ContainerDefinitionFetcher.php @@ -213,6 +213,11 @@ private function GetDefinition(bool $latest): array $devices = $entry['devices']; } + $capAdd = []; + if (isset($entry['cap_add'])) { + $capAdd = $entry['cap_add']; + } + $containers[] = new Container( $entry['container_name'], $displayName, @@ -226,6 +231,7 @@ private function GetDefinition(bool $latest): array $dependsOn, $secrets, $devices, + $capAdd, $this->container->get(DockerActionManager::class) ); } diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index b22ca0327516..3e5f7defc990 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -411,9 +411,13 @@ public function CreateContainer(Container $container) : void { $requestBody['HostConfig']['Devices'] = $devices; } + $capAdds = $container->GetCapAdds(); + if (count($capAdds) > 0) { + $requestBody['HostConfig']['CapAdd'] = $capAdds; + } + // Special things for the backup container which should not be exposed in the containers.json if ($container->GetIdentifier() === 'nextcloud-aio-borgbackup') { - $requestBody['HostConfig']['CapAdd'] = ["SYS_ADMIN"]; $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined"]; // Additional backup directories