Cherry-pick security_opt&add_cap

mauricioklein · Dec 10, 2018 · 64a2ed7 · 64a2ed7
1 parent 24f4ce2
commit 64a2ed7
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 13 deletions.
diff --git a/lib/docker-compose.rb b/lib/docker-compose.rb
@@ -72,24 +72,28 @@ def self.create_container(attributes)
       volumes: attributes[1]['volumes'],
       command: attributes[1]['command'],
       environment: attributes[1]['environment'],
-      labels: attributes[1]['labels']
+      labels: attributes[1]['labels'],
+      security_opt: attributes[1]['security_opt'],
+      cap_add: attributes[1]['cap_add'],
     })
   end
 
   def self.load_running_container(container)
     info = container.json
 
     container_args = {
-      label:       info['Name'].split(/_/)[1] || '',
-      full_name:   info['Name'],
-      image:       info['Image'],
-      build:       nil,
-      links:       info['HostConfig']['Links'],
-      ports:       ComposeUtils.format_ports_from_running_container(info['NetworkSettings']['Ports']),
-      volumes:     info['Config']['Volumes'],
-      command:     info['Config']['Cmd'].join(' '),
-      environment: info['Config']['Env'],
-      labels:      info['Config']['Labels'],
+      label:        info['Name'].split(/_/)[1] || '',
+      full_name:    info['Name'],
+      image:        info['Image'],
+      build:        nil,
+      links:        info['HostConfig']['Links'],
+      cap_add:      info['HostConfig']['CapAdd'],
+      security_opt: info['HostConfig']['SecurityOpt'],
+      ports:        ComposeUtils.format_ports_from_running_container(info['NetworkSettings']['Ports']),
+      volumes:      info['Config']['Volumes'],
+      command:      info['Config']['Cmd'].join(' '),
+      environment:  info['Config']['Env'],
+      labels:       info['Config']['Labels'],
 
       loaded_from_environment: true
     }

diff --git a/lib/docker-compose/models/compose_container.rb b/lib/docker-compose/models/compose_container.rb
@@ -18,7 +18,9 @@ def initialize(hash_attributes, docker_container = nil)
       volumes: hash_attributes[:volumes],
       command: ComposeUtils.format_command(hash_attributes[:command]),
       environment: prepare_environment(hash_attributes[:environment]),
-      labels: prepare_labels(hash_attributes[:labels])
+      labels: prepare_labels(hash_attributes[:labels]),
+      cap_add: hash_attributes[:cap_add],
+      security_opt: hash_attributes[:security_opt],
     }.reject { |key, value| value.nil? }
 
     prepare_compose_labels
@@ -84,7 +86,9 @@ def prepare_container
       HostConfig: {
         Binds: volume_binds,
         Links: links,
-        PortBindings: port_bindings
+        PortBindings: port_bindings,
+        CapAdd: @attributes[:cap_add],
+        SecurityOpt: @attributes[:security_opt],
       }
     }
 

diff --git a/spec/docker-compose/docker-compose_v3_spec.rb b/spec/docker-compose/docker-compose_v3_spec.rb
@@ -0,0 +1,51 @@
+require 'spec_helper'
+
+describe DockerCompose do
+  context 'version 3' do
+    before(:each) {
+      @compose = DockerCompose.load(File.expand_path('spec/docker-compose/fixtures/compose_3.yaml'))
+    }
+
+    after(:each) do
+      @compose.delete
+    end
+
+    it 'should be able to access gem version' do
+      expect(DockerCompose.version).to_not be_nil
+    end
+
+    it 'should be able to access Docker client' do
+      expect(DockerCompose.docker_client).to_not be_nil
+    end
+
+    it 'should read 3 containers' do
+      expect(@compose.containers.length).to eq(3)
+    end
+
+    it 'uses cap_add correctly' do
+      container = @compose.get_containers_by(label: 'busybox').first
+
+      # Start container
+      container.start
+
+      caps_added = container.stats['HostConfig']['CapAdd']
+      expect(caps_added).to match_array(['SYS_ADMIN'])
+
+      # Stop container
+      container.stop
+    end
+
+    it 'uses security_opt correctly' do
+      container = @compose.get_containers_by(label: 'busybox').first
+
+      # Start container
+      container.start
+
+      security_opts = container.stats['HostConfig']['SecurityOpt']
+      expect(security_opts).to match_array(['apparmor:unconfined'])
+
+      # Stop container
+      container.stop
+    end
+  end
+end
diff --git a/spec/docker-compose/fixtures/compose_3.yaml b/spec/docker-compose/fixtures/compose_3.yaml
@@ -0,0 +1,28 @@
+version: 3
+services:
+  lambda:
+    image: lambci/lambda:ruby2.5
+    volumes:
+      - .:/var/task
+    networks:
+      default:
+  db:
+    image: postgres:10-alpine
+    environment:
+      POSTGRES_USER: user
+      POSTGRES_PASSWORD: password
+      POSTGRES_DB: database
+    networks:
+      default:
+        aliases:
+          - database
+  busybox:
+    image: busybox
+    cap_add:
+      - SYS_ADMIN
+    security_opt:
+      - apparmor:unconfined
+networks:
+  default:
+
+