Revert "Add capabilities list to container specification"

This reverts commit 18d9170. This is reverted to replace with a different model since a full cap list specified on clients means the client must specify the base cap spec for nodes it may not know about. Instead we intend to split this into add/drop lists.
moby · Jul 16, 2020 · 8c7b14d · 8c7b14d
1 parent 967c829
commit 8c7b14d
Show file tree

Hide file tree

Showing 7 changed files with 141 additions and 317 deletions.
diff --git a/agent/exec/dockerapi/container.go b/agent/exec/dockerapi/container.go
@@ -209,7  209,6 @@ func (c *containerConfig) hostConfig() *enginecontainer.HostConfig {
 		PortBindings: c.portBindings(),
 		Init:         c.init(),
 		Isolation:    c.isolation(),
-		Capabilities: c.spec().Capabilities,
 	}
 
 	// The format of extra hosts on swarmkit is specified in:

diff --git a/agent/exec/dockerapi/container_test.go b/agent/exec/dockerapi/container_test.go
@@ -256,23  256,3 @@ func TestIsolation(t *testing.T) {
 		t.Fatalf("expected %s, got %s", expected, actual)
 	}
 }
-
-func TestCapabilities(t *testing.T) {
-	c := containerConfig{
-		task: &api.Task{
-			Spec: api.TaskSpec{
-				Runtime: &api.TaskSpec_Container{
-					Container: &api.ContainerSpec{
-						Capabilities: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"},
-					},
-				},
-			},
-		},
-	}
-
-	expected := []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"}
-	actual := c.hostConfig().Capabilities
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("expected %s, got %s", expected, actual)
-	}
-}
diff --git a/api/api.pb.txt b/api/api.pb.txt
@@ -5067,13  5067,6 @@ file {
       type_name: ".docker.swarmkit.v1.ContainerSpec.SysctlsEntry"
       json_name: "sysctls"
     }
-    field {
-      name: "capabilities"
-      number: 27
-      label: LABEL_REPEATED
-      type: TYPE_STRING
-      json_name: "capabilities"
-    }
     nested_type {
       name: "LabelsEntry"
       field {

diff --git a/api/specs.pb.go b/api/specs.pb.go
diff --git a/api/specs.proto b/api/specs.proto
@@ -355,9  355,6 @@ message ContainerSpec {
 	//
 	// https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime
 	map<string, string> sysctls = 26;
-
-	// Capabilities is the list of Linux capabilities to be available for container (this overrides the default set of capabilities)
-	repeated string capabilities = 27;
 }
 
 // EndpointSpec defines the properties that can be configured to

diff --git a/cmd/swarmctl/service/flagparser/capability.go b/cmd/swarmctl/service/flagparser/capability.go
diff --git a/cmd/swarmctl/service/update.go b/cmd/swarmctl/service/update.go
@@ -54,13  54,6 @@ var (
 				return err
 			}
 
-			if err := flagparser.ParseAddCapability(cmd, spec, "add-capability"); err != nil {
-				return err
-			}
-			if err := flagparser.ParseRemoveCapability(cmd, spec, "rm-capability"); err != nil {
-				return err
-			}
-
 			if reflect.DeepEqual(spec, &service.Spec) {
 				return errors.New("no changes detected")
 			}
@@ -84,8  77,6 @@ func init() {
 	updateCmd.Flags().StringSlice("rm-secret", nil, "remove a secret from the service")
 	updateCmd.Flags().StringSlice("add-config", nil, "add a new config to the service")
 	updateCmd.Flags().StringSlice("rm-config", nil, "remove a config from the service")
-	updateCmd.Flags().StringSlice("add-capability", nil, "add a new capability to the service")
-	updateCmd.Flags().StringSlice("rm-capability", nil, "remove a capability from the service")
 	updateCmd.Flags().Bool("force", false, "force tasks to restart even if nothing has changed")
 	flagparser.AddServiceFlags(updateCmd.Flags())
 }