-
Notifications
You must be signed in to change notification settings - Fork 617
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for privileged mode #3072
Conversation
Signed-off-by: Olli Janatuinen <[email protected]>
Signed-off-by: Olli Janatuinen <[email protected]>
af189fa
to
22f4dea
Compare
@dperny PTAL |
I think this might be useful as a stopgap for people waiting for apparmor support, see moby/moby#41371 |
Having this in the next release of moby/moby would be really helpful and to me this looks simple enough to be merged. |
Adding my voice to those who want this merged |
@thaJeztah PTAL |
Judging from the am amount of upvotes, this feels like something to be addressed. Does this PR make sense for the project? |
I think it"s worth considering; there are a number of things I personally have been looking into plumbing recently:
As the keen-eyed may have noticed, the road to 23.0.0 has been painful and has sucked up most of the bandwidth of the project. I hope that we"ll have a lot more energy to focus on Swarm in general once the release hangover and follow-up patch releases are over, myself. |
@neersighted I created this PR with hope that it would be early enough for 23.0.0 (as it would a lot of people happy) but because that was not the case we most probably should set as a target to get whole lost mentioned on moby/moby#25303 to be implemented on swarm mode on next major version as after all it is not that much code which is missing. |
@neersighted i must say your comment makes me really happy. Take your time. Such a huge Release after such a long time must be really painful. I think I speak for everyone interested in swarm when I say that we really appreciate the new energy around swarm. The last thing we want is you guys burning out on this. Let us know how we, the community, can help. |
I"m really happy with all this swarm come back! Looking forward to the coming features. |
@olljanat mentioned maintainers. #1030 @thaJeztah mentioned he is not a maintainer. #3036 Who is a maintainer? Who is responsible? Who is controlling the fate of Docker Swarm? It doesn"t look like Mirantis is doing much besides blog posts for their paid service. How to get this seemingly ready pull request merged? What is blocking? |
@bluepuma77 people in this thread (@neersighted ) are from Mirantis - so they are on our (the community"s) side :) As mentioned above, this was a huge release. Let"s not stress people out by asking too much right out of the start. Also, there is a lot of work being done on the technical side for swarm (CI pipelines have been modernized, networking fixes over at moby/moby, PRs are starting to get merged) which no one in their right mind would do if they were to abandon the project. Also, @thaJeztah is now a maintainer of swarmkit as well according to the MAINTAINERS file. The comment you linked is out of date. |
@thaJeztah and I briefly discussed this PR a bit the other day. There are still some concerns about merging it (everything from design principles to practical -- Swarm was built to be least privilege and to try to abstract away the coupled-to-the-implementation sins of the CLI). I hope to discuss this in general with the Moby maintainers in a week or two -- step one is getting the (Mirantis-internal) SwarmKit backlog formally triaged which I am working on. Step two is getting out of the 23.0.0 release hangover which will require at least one point release, maybe two. Step three is compiling the knowledge we have of the lay of the land and historical context of some of the FRs/PRs so we can have a coherent discussion with the other maintainers and not waste people"s time. In any case, asking for updates/pinging here won"t make things move faster, and we"ll post back here (you might see we do that a lot in moby/moby) with a summary of what we discuss in the maintainer"s call. There"s no guarantees this is merged yet (and that is not up to any one person), but time/nothing better becoming available is a strong argument (if weak technically), and it does deserve to be discussed & addressed at the very least. |
@neersighted For me it"s also about security. For services that need to access the Docker socket (like reverse proxy Traefik) it makes sense to use something like docker-socket-proxy to make the access more secure, but that needs Therefore it would be great to provide |
PTAL @neersighted |
Many more months gone by. Pull request is waiting, why can"t it be merged and be included in the next release? Who is responsible for this decision? Who owns |
FYI, I see that #3152 was merged so looks that those who are making decisions want to implement it first. I know that it is not same than privileged mode but together with cap-add which was added couple of versions ago you can already solve many use cases. |
Indeed, that is the intent (to allow more workloads without the sledgehammer). We also discussed this recently in a Moby maintainer"s call, but honestly not a lot moved -- we"re generally okay with it, but it"s against the historic design intent of Swarm, and so none of us want to proscribe this change to Swarm. @dperny do you want to weigh in on if it"s time to drop the "purity" of SwarmKit and stop waiting for capabilities, and potentially allow this? |
FYI, this PR have been here for a while so I did close + reopen to trigger CI again. Looks to be still 🟢 so even that is not blocker... |
Codecov Report
@@ Coverage Diff @@
## master #3072 +/- ##
=========================================
Coverage ? 61.86%
=========================================
Files ? 155
Lines ? 31140
Branches ? 0
=========================================
Hits ? 19264
Misses ? 10331
Partials ? 1545 |
@neersighted @thaJeztah @dperny compromise proposal. What it if we add new |
Knock knock! |
Any news on this? I think that a lot of swarm user are waiting for such feature. Without it some application are just not implementable in swarm. If it is not planned, maybe we could create a fork for a version with privileged enabled? |
Closing because Docker maintainers looks to be more favor of getting rid of #3152 already added support for Seccomp and AppArmor profiles and I just created rebased version of device support in #3186 |
I have fork it there: |
@guilh22 Be aware that it is a bit more complex because swarmkit is bundled to “dockerd” binary and stack files are parsed by “docker” binary. You can find full example from my old PRs which added mount type “npipe” support:
If you really want build customized version of Docker then you should fork moby/moby and docker/cli from latest release tag and modify relevant parts. You don’t actually need fork moby/swarmkit because you can simply modify code in “vendor” folder in moby/moby. Additionally depending on your target system it might make sense to fork https://github.com/docker/docker-ce-packaging too and use it packaging customized version. You can also ping me in Docker Community Slack or alternatively in new issue in your forked repo in case some part is unclear. |
- What I did
#1129 was closed with #1129 (comment)
Opening this one for checking if now
sixseven years later is right time to go forward with this one.First step to implement #1030 / moby/moby#24862
- How I did it
- How to test it
swarmctl service create --privileged
- Description for the changelog