Add support for container kernel capabilities (#716)

This patch adds two new command-line flags to specify one or more kernel capabilities to add or remove from the workflow containers. The command-line flag `--container-cap-add` allows for adding specific capabilities on the workflow containers; where as, The command-line flag `--container-cap-drop` allows for removing specific capabilities on the workflow containers. This was developed to specifically be able to add `SYS_PTRACE` to a workflow I maintain. It involves using this capability to monitor a make build, to then build a compilation database. Signed-off-by: Joseph Benden <joe@benden.us>
2021-06-04 09:06:59 -07:00
parent 8a9167da82
commit 6b4d359737
6 changed files with 17 additions and 7 deletions
--- a/pkg/runner/run_context.go
+++ b/pkg/runner/run_context.go
@@ -148,7 +148,7 @@ func (rc *RunContext) startJobContainer() common.Executor {
 		return common.NewPipelineExecutor(
 			rc.JobContainer.Pull(rc.Config.ForcePull),
 			rc.stopJobContainer(),
-			rc.JobContainer.Create(),
+			rc.JobContainer.Create(rc.Config.ContainerCapAdd, rc.Config.ContainerCapDrop),
 			rc.JobContainer.Start(false),
 			rc.JobContainer.UpdateFromEnv("/etc/environment", &rc.Env),
 			rc.JobContainer.Exec([]string{"mkdir", "-m", "0777", "-p", ActPath}, rc.Env, "root"),
--- a/pkg/runner/runner.go
+++ b/pkg/runner/runner.go
@@ -40,6 +40,8 @@ type Config struct {
 	ContainerDaemonSocket string            // Path to Docker daemon socket
 	UseGitIgnore          bool              // controls if paths in .gitignore should not be copied into container, default true
 	GitHubInstance        string            // GitHub instance to use, default "github.com"
+	ContainerCapAdd       []string          // list of kernel capabilities to add to the containers
+	ContainerCapDrop      []string          // list of kernel capabilities to remove from the containers
 }

 // Resolves the equivalent host path inside the container
--- a/pkg/runner/step_context.go
+++ b/pkg/runner/step_context.go
@@ -299,7 +299,7 @@ func (sc *StepContext) runUsesContainer() common.Executor {
 		return common.NewPipelineExecutor(
 			stepContainer.Pull(rc.Config.ForcePull),
 			stepContainer.Remove().IfBool(!rc.Config.ReuseContainers),
-			stepContainer.Create(),
+			stepContainer.Create(rc.Config.ContainerCapAdd, rc.Config.ContainerCapDrop),
 			stepContainer.Start(true),
 		).Finally(
 			stepContainer.Remove().IfBool(!rc.Config.ReuseContainers),
@@ -517,7 +517,7 @@ func (sc *StepContext) execAsDocker(ctx context.Context, action *model.Action, a
 		prepImage,
 		stepContainer.Pull(rc.Config.ForcePull),
 		stepContainer.Remove().IfBool(!rc.Config.ReuseContainers),
-		stepContainer.Create(),
+		stepContainer.Create(rc.Config.ContainerCapAdd, rc.Config.ContainerCapDrop),
 		stepContainer.Start(true),
 	).Finally(
 		stepContainer.Remove().IfBool(!rc.Config.ReuseContainers),