cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon docker

Add CLI flags for Swarm Service seccomp, AppArmor, and no-new-privileges

Open dperny opened this issue 1 year ago • 3 comments

- What I did

Add 3 flags to the docker service create and docker service update CLI commands to support the security options in moby/moby#46386.

  • --apparmor allows setting AppArmor to default or disabled.
  • --no-new-privileges does what it says on the tin
  • --seccomp allows either default, unconfined, or a file name of a JSON file with a custom seccomp profile.

- How I did it

Added CLI flags in the standard way. Mostly boilerplate.

- How to verify it

Added tests for the flags.

- Description for the changelog

* Added `--apparmor` flag to `docker service create` and `docker service update`. Allows configuring AppArmor as `default` or `disabled`.
* Added `--no-new-privileges` flag to `docker service create` and `docker service update`.
* Added `--seccomp` flag to `docker service create` and `docker service update`. Allows setting seccomp to `default`, `unconfined`, or a custom profile.

dperny avatar Dec 16 '24 15:12 dperny

Codecov Report

Attention: Patch coverage is 87.36842% with 12 lines in your changes missing coverage. Please review.

Project coverage is 59.61%. Comparing base (b462778) to head (dc75d4b). Report is 19 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5698      +/-   ##
==========================================
+ Coverage   59.51%   59.61%   +0.09%     
==========================================
  Files         346      346              
  Lines       29376    29466      +90     
==========================================
+ Hits        17483    17566      +83     
- Misses      10923    10928       +5     
- Partials      970      972       +2

codecov-commenter avatar Dec 16 '24 15:12 codecov-commenter

What is done:

  • [x] All CLI flags
  • [x] Compose file parsing

What needs to be done still:

  • [x] Error messages for bad flag values in CLI
  • [ ] Evaluate possible problems with reading seccomp JSON file with os.ReadFile
  • [x] Compose type conversion (Compose -> Docker API types)
  • [x] Come up with way to ingest seccomp JSON file with Compose

What I have up now is ready for review, even in its incomplete state, but not ready for merging.

dperny avatar Dec 17 '24 13:12 dperny

Hey, whats the eta on this? If you guys don't have anything else on your plates can this be a priority for approval?

I think we don't need to condition the ingesting file for size but we should return error on permissions and location mismatch.

furaar avatar Mar 30 '25 19:03 furaar