Add support for swarm seccomp and apparmor #46386
Conversation
| if seccomp != nil { | ||
| switch seccomp.Mode { | ||
| case api.Privileges_SeccompOpts_DEFAULT: | ||
| // TODO(dperny): DO NOT MERGE WITHOUT THIS QUESTION ANSWERED! |
There was a problem hiding this comment.
Should this PR be converted to draft until this question is answered?
There was a problem hiding this comment.
This review comment is why I put this code comment. Knew I would forget about it.
a6ba8ee to
d86dfbb
Compare
There was a problem hiding this comment.
some very minor comments, also could you add entries to https://github.com/moby/moby/blob/master/docs/api/version-history.md to mention the new options (which apply to both POST /services/create and POST /services/{id}/update)
d86dfbb to
73bc6d6
Compare
| @@ -69,6 +69,34 @@ func containerSpecFromGRPC(c *swarmapi.ContainerSpec) *types.ContainerSpec { | |||
| Level: c.Privileges.SELinuxContext.Level, | |||
| } | |||
| } | |||
|
|
|||
| if c.Privileges.Seccomp != nil { | |||
There was a problem hiding this comment.
I guess ideally we'd have some tests added as well, but I'm ok with doing it in a follow-up if we'd like to have this included in the release. I see there's some tests in this package already; https://github.com/moby/moby/tree/78479b19158290e7338ceb3985bb809b83de5fd4/daemon/cluster/executor/container
|
ah, dang; needs a rebase, @dperny ( |
And also no-new-privileges Signed-off-by: Drew Erny <derny@mirantis.com>
73bc6d6 to
42a51cb
Compare
|
Hello @dperny. Thanks in advance :) |
|
This is purely backend support; the issue you already linked is the appropriate venue to discuss UI. |
- What I did
Added support in Swarm for custom Seccomp profiles, some small amount of AppArmor configuration, and
no-new-privileges.- How I did it
Swarmkit has the necessary plumbing for these fields added, and now it's wired up in the engine.
- How to verify it
- Description for the changelog
Added Swarm support for seccomp, AppArmor, and no-new-privileges.