Add capabilities list to container specification

agent/exec/dockerapi/container.go

@@ -209,6 +209,7 @@ func (c *containerConfig) hostConfig() *enginecontainer.HostConfig {
 		PortBindings: c.portBindings(),
 		Init:         c.init(),
 		Isolation:    c.isolation(),
+		Capabilities: c.spec().Capabilities,
 	}
 
 	// The format of extra hosts on swarmkit is specified in:
@@ -442,7 +443,7 @@ func (c *containerConfig) resources() enginecontainer.Resources {
 	// set pids limit
 	pidsLimit := c.spec().PidsLimit
 	if pidsLimit > 0 {
-		resources.PidsLimit = pidsLimit
+		resources.PidsLimit = &pidsLimit
 	}
 
 	// If no limits are specified let the engine use its defaults.

agent/exec/dockerapi/container_test.go

@@ -190,7 +190,7 @@ func TestPidLimit(t *testing.T) {
 	expected := int64(10)
 	actual := hostConfig.PidsLimit
 
-	if expected != actual {
+	if expected != *actual {
 		t.Fatalf("expected %d, got %d", expected, actual)
 	}
 }
@@ -256,3 +256,23 @@ func TestIsolation(t *testing.T) {
 		t.Fatalf("expected %s, got %s", expected, actual)
 	}
 }
+
+func TestCapabilities(t *testing.T) {
+	c := containerConfig{
+		task: &api.Task{
+			Spec: api.TaskSpec{
+				Runtime: &api.TaskSpec_Container{
+					Container: &api.ContainerSpec{
+						Capabilities: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"},
+					},
+				},
+			},
+		},
+	}
+
+	expected := []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"}
+	actual := c.hostConfig().Capabilities
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("expected %s, got %s", expected, actual)
+	}
+}

api/api.pb.txt

@@ -4951,6 +4951,13 @@ file {
       type_name: ".docker.swarmkit.v1.ContainerSpec.SysctlsEntry"
       json_name: "sysctls"
     }
+    field {
+      name: "capabilities"
+      number: 27
+      label: LABEL_REPEATED
+      type: TYPE_STRING
+      json_name: "capabilities"
+    }
     nested_type {
       name: "LabelsEntry"
       field {

api/specs.proto

@@ -333,6 +333,9 @@ message ContainerSpec {
 	//
 	// https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime
 	map<string, string> sysctls = 26;
+
+	// Capabilities is the list of Linux capabilities to be available for container (this overrides the default set of capabilities)
+	repeated string capabilities = 27;
 }
 
 // EndpointSpec defines the properties that can be configured to

cmd/swarmctl/service/flagparser/capability.go

@@ -0,0 +1,72 @@
+package flagparser
+
+import (
+	"github.com/docker/swarmkit/api"
+	"github.com/spf13/cobra"
+)
+
+// ParseAddCapability validates capabilities passed on the command line
+func ParseAddCapability(cmd *cobra.Command, spec *api.ServiceSpec, flagName string) error {
+	flags := cmd.Flags()
+
+	if flags.Changed(flagName) {
+		capabilities, err := flags.GetStringSlice(flagName)
+		if err != nil {
+			return err
+		}
+
+		container := spec.Task.GetContainer()
+		if container == nil {
+			return nil
+		}
+
+		oldCapabilities := make(map[string]struct{})
+		for _, capability := range container.Capabilities {
+			oldCapabilities[capability] = struct{}{}
+		}
+
+		var newCapabilities = container.Capabilities
+		for _, capability := range capabilities {
+			if _, ok := oldCapabilities[capability]; ok {
+				continue
+			}
+			newCapabilities = append(newCapabilities, capability)
+		}
+		container.Capabilities = newCapabilities
+	}
+
+	return nil
+}
+
+// ParseRemoveCapability removes a set of capabilities from the task spec's capability references
+func ParseRemoveCapability(cmd *cobra.Command, spec *api.ServiceSpec, flagName string) error {
+	flags := cmd.Flags()
+
+	if flags.Changed(flagName) {
+		capabilities, err := flags.GetStringSlice(flagName)
+		if err != nil {
+			return err
+		}
+
+		container := spec.Task.GetContainer()
+		if container == nil {
+			return nil
+		}
+
+		wantToDelete := make(map[string]struct{})
+		for _, capability := range capabilities {
+			wantToDelete[capability] = struct{}{}
+		}
+
+		var newCapabilities []string
+		for _, capabilityRef := range container.Capabilities {
+			if _, ok := wantToDelete[capabilityRef]; ok {
+				continue
+			}
+			newCapabilities = append(newCapabilities, capabilityRef)
+		}
+		container.Capabilities = newCapabilities
+	}
+
+	return nil
+}

cmd/swarmctl/service/update.go

@@ -54,6 +54,13 @@ var (
 				return err
 			}
 
+			if err := flagparser.ParseAddCapability(cmd, spec, "add-capability"); err != nil {
+				return err
+			}
+			if err := flagparser.ParseRemoveCapability(cmd, spec, "rm-capability"); err != nil {
+				return err
+			}
+
 			if reflect.DeepEqual(spec, &service.Spec) {
 				return errors.New("no changes detected")
 			}
@@ -77,6 +84,8 @@ func init() {
 	updateCmd.Flags().StringSlice("rm-secret", nil, "remove a secret from the service")
 	updateCmd.Flags().StringSlice("add-config", nil, "add a new config to the service")
 	updateCmd.Flags().StringSlice("rm-config", nil, "remove a config from the service")
+	updateCmd.Flags().StringSlice("add-capability", nil, "add a new capability to the service")
+	updateCmd.Flags().StringSlice("rm-capability", nil, "remove a capability from the service")
 	updateCmd.Flags().Bool("force", false, "force tasks to restart even if nothing has changed")
 	flagparser.AddServiceFlags(updateCmd.Flags())
 }

vendor.conf

@@ -27,8 +27,8 @@ github.com/prometheus/client_model 6f3806018612930941127f2a7c6c453ba2c527d2
 github.com/prometheus/common 7600349dcfe1abd18d72d3a1770870d9800a7801
 github.com/prometheus/procfs 7d6f385de8bea29190f15ba9931442a0eaef9af7
 
-github.com/docker/distribution 83389a148052d74ac602f5f1d62f86ff2f3c4aa5
-github.com/docker/docker 5a718ef0f94f605fe4e4885937133c2f76ad2a41
+github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580
+github.com/docker/docker 827cb09f87964ed38b46502f22a585f2ed4a78e1
 github.com/docker/go-connections 7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1