Add capabilities list to container specification

[olljanat]

- What I did
Add capabilities list to container specification like discussed on moby/moby#26849 (comment)

Second step to solve moby/moby#25885 , moby/moby#24862 and #1030
Replaces #1565

- How to test it
Run test container which prints capabilities to console

./swarmctl service create --image ollijanatuinen/capsh --name test

Add default capabilities

./swarmctl service update <serviceID> \
    --add-capability CHOWN \
    --add-capability DAC_OVERRIDE \
    --add-capability FSETID \
    --add-capability FOWNER \
    --add-capability MKNOD \
    --add-capability NET_RAW \
    --add-capability SETGID \
    --add-capability SETUID \
    --add-capability SETFCAP \
    --add-capability SETPCAP \
    --add-capability NET_BIND_SERVICE \
    --add-capability SYS_CHROOT \
    --add-capability KILL \
    --add-capability AUDIT_WRITE

Remove capabilities:

swarmctl service update <serviceID> --rm-capability AUDIT_WRITE

- Description for the changelog
d9c62e1 bumps docker/docker to same version which docker/cli is using and docker/distribution to same version than is used by moby and docker/cli (and fixes those small incompabilities).

18d9170 contains actual implementation.

[thaJeztah]

@olljanat I removed "WIP' because the moby PR was merged; could you rebase this PR?

[codecov]

Codecov Report

Merging #2795 into master will decrease coverage by 0.14%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #2795      +/-   ##
==========================================
- Coverage   62.19%   62.05%   -0.15%     
==========================================
  Files         139      139              
  Lines       22314    22314              
==========================================
- Hits        13879    13846      -33     
- Misses       6962     6990      +28     
- Partials     1473     1478       +5

[olljanat]

@dperny @wk8 This one is ready for first review. PTAL.

/cc @thaJeztah

[wk8]

LGTM, might be good to have an integration test in moby once this is merged?

[olljanat]

@wk8 sure ;)

@dperny @anshulpundir PTAL

[olljanat]

@dperny ping

[dperny]

question about why pids limit changed to a pointer

[dperny]

is there a reason that this changed?

[olljanat]

It looks to be changed on moby side and it didn't passed build without those (like I said in change log on first message).

EDIT: Most probably it is this one moby/moby#38793 adds need to use pointer here.

[dperny]

@justincormack from a security perspective, would this be a safe change to swarmkit? as i understand it, there was a reason we didn't do this from the beginning, which i think you might be familiar with, but i don't remember what it was.

[olljanat]

@dperny @justincormack as far I have understood it was this one moby/moby#26849 (comment) why original implementation was not approved.

and to be able solve that issue I refactored capabilities handing on moby (with @thaJeztah help) to support for exact list of capabilities on moby/moby#38380 that actually already ships with Docker 19.03.

And this PR is needed to get it working with services.
Btw. complete TODO list is visible on moby/moby#25885 (comment)

[dperny]

It LGTM after a quick OK from security folks.

[justincormack]

@dperny lots of things are not "safe", but deciding that Swarm was the right place to make all safety decisions, and then not actually make them, was a mistake.