From baa321293f74e39442d0c9f88e8d6d3adcb0b418 Mon Sep 17 00:00:00 2001 From: Brian Goff Date: Wed, 22 Jul 2020 21:29:24 -0700 Subject: [PATCH 1/2] Revendor swarmkit This picks up the API changes for cap add/drop for services. Signed-off-by: Brian Goff --- vendor.conf | 2 +- .../docker/swarmkit/api/specs.pb.go | 378 ++++++++++-------- .../docker/swarmkit/api/specs.proto | 6 +- 3 files changed, 226 insertions(+), 160 deletions(-) diff --git a/vendor.conf b/vendor.conf index 5623ca449d..0324983179 100644 --- a/vendor.conf +++ b/vendor.conf @@ -134,7 +134,7 @@ github.com/gogo/googleapis 01e0f9cca9b92166042241267ee2 github.com/cilium/ebpf 60c3aa43f488292fe2ee50fb8b833b383ca8ebbb # cluster -github.com/docker/swarmkit ebe39a32e3ed4c3a3783a02c11cccf388818694c +github.com/docker/swarmkit 035d564a3686f5e348d861ec0c074ff26854c498 github.com/gogo/protobuf 5628607bb4c51c3157aacc3a50f0ab707582b805 # v1.3.1 github.com/golang/protobuf d23c5127dc24889085f8ccea5c9d560a57a879d8 # v1.3.3 github.com/cloudflare/cfssl 5d63dbd981b5c408effbb58c442d54761ff94fbd # 1.3.2 diff --git a/vendor/github.com/docker/swarmkit/api/specs.pb.go b/vendor/github.com/docker/swarmkit/api/specs.pb.go index dbfc2ab2e1..d3e1a598ee 100644 --- a/vendor/github.com/docker/swarmkit/api/specs.pb.go +++ b/vendor/github.com/docker/swarmkit/api/specs.pb.go @@ -1019,8 +1019,10 @@ type ContainerSpec struct { // // https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime Sysctls map[string]string `protobuf:"bytes,26,rep,name=sysctls,proto3" json:"sysctls,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - // Capabilities is the list of Linux capabilities to be available for container (this overrides the default set of capabilities) - Capabilities []string `protobuf:"bytes,27,rep,name=capabilities,proto3" json:"capabilities,omitempty"` + // CapabilityAdd sets the list of capabilities to add to the default capability list + CapabilityAdd []string `protobuf:"bytes,27,rep,name=capability_add,json=capabilityAdd,proto3" json:"capability_add,omitempty"` + // CapabilityAdd sets the list of capabilities to drop from the default capability list + CapabilityDrop []string `protobuf:"bytes,28,rep,name=capability_drop,json=capabilityDrop,proto3" json:"capability_drop,omitempty"` } func (m *ContainerSpec) Reset() { *m = ContainerSpec{} } @@ -1501,151 +1503,152 @@ func init() { } var fileDescriptor_6589acc608f7d4fd = []byte{ - // 2289 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0x4d, 0x73, 0x23, 0xb7, - 0xd1, 0x26, 0x25, 0x8a, 0x1f, 0x3d, 0xa4, 0x96, 0x82, 0xd7, 0xf6, 0x88, 0x6b, 0x53, 0x34, 0xbd, - 0xf6, 0x2b, 0xdb, 0xf5, 0x52, 0x15, 0xc5, 0xe5, 0xf8, 0x23, 0x4e, 0x42, 0x8a, 0xb4, 0x44, 0xef, - 0xae, 0xc4, 0x02, 0x65, 0x25, 0x5b, 0x95, 0x2a, 0x16, 0x38, 0x03, 0x91, 0x13, 0x0d, 0x07, 0x13, - 0x0c, 0x28, 0x9b, 0xb7, 0x1c, 0x5d, 0xca, 0x25, 0x7f, 0x40, 0xa7, 0x54, 0x4e, 0xb9, 0x24, 0xff, - 0x62, 0x8f, 0x3e, 0x3a, 0x17, 0x55, 0xac, 0xfd, 0x09, 0xb9, 0xe5, 0x92, 0x14, 0x30, 0x98, 0x21, - 0xa9, 0x25, 0x57, 0x9b, 0xca, 0x1e, 0x72, 0x03, 0x7a, 0x9e, 0xa7, 0xd1, 0x0d, 0x74, 0x37, 0x1a, - 0x03, 0xef, 0x0f, 0x1c, 0x31, 0x1c, 0xf7, 0x6b, 0x16, 0x1b, 0xed, 0xd8, 0xcc, 0x3a, 0xa3, 0x7c, - 0x27, 0xf8, 0x9a, 0xf0, 0xd1, 0x99, 0x23, 0x76, 0x88, 0xef, 0xec, 0x04, 0x3e, 0xb5, 0x82, 0x9a, - 0xcf, 0x99, 0x60, 0x08, 0x85, 0x80, 0x5a, 0x04, 0xa8, 0x9d, 0xff, 0xa8, 0x74, 0x1b, 0x5f, 0x4c, - 0x7c, 0xaa, 0xf9, 0xa5, 0xbb, 0x03, 0x36, 0x60, 0x6a, 0xb8, 0x23, 0x47, 0x5a, 0x5a, 0x1e, 0x30, - 0x36, 0x70, 0xe9, 0x8e, 0x9a, 0xf5, 0xc7, 0xa7, 0x3b, 0xf6, 0x98, 0x13, 0xe1, 0x30, 0x4f, 0x7f, - 0xdf, 0xbc, 0xf9, 0x9d, 0x78, 0x93, 0x65, 0xd4, 0xaf, 0x39, 0xf1, 0x7d, 0xca, 0xf5, 0x82, 0xd5, - 0xcb, 0x14, 0x64, 0x0f, 0x99, 0x4d, 0xbb, 0x3e, 0xb5, 0xd0, 0x3e, 0x18, 0xc4, 0xf3, 0x98, 0x50, - 0xba, 0x03, 0x33, 0x59, 0x49, 0x6e, 0x1b, 0xbb, 0x5b, 0xb5, 0x67, 0x7d, 0xaa, 0xd5, 0xa7, 0xb0, - 0x46, 0xea, 0xc9, 0xd5, 0x56, 0x02, 0xcf, 0x32, 0xd1, 0xcf, 0x21, 0x6f, 0xd3, 0xc0, 0xe1, 0xd4, - 0xee, 0x71, 0xe6, 0x52, 0x73, 0xa5, 0x92, 0xdc, 0x5e, 0xdf, 0x7d, 0x63, 0x91, 0x26, 0xb9, 0x38, - 0x66, 0x2e, 0xc5, 0x86, 0x66, 0xc8, 0x09, 0xda, 0x07, 0x18, 0xd1, 0x51, 0x9f, 0xf2, 0x60, 0xe8, - 0xf8, 0xe6, 0xaa, 0xa2, 0xff, 0xdf, 0x32, 0xba, 0xb4, 0xbd, 0xf6, 0x28, 0x86, 0xe3, 0x19, 0x2a, - 0x7a, 0x04, 0x79, 0x72, 0x4e, 0x1c, 0x97, 0xf4, 0x1d, 0xd7, 0x11, 0x13, 0x33, 0xa5, 0x54, 0xbd, - 0xf7, 0x5c, 0x55, 0xf5, 0x19, 0x02, 0x9e, 0xa3, 0x57, 0x6d, 0x80, 0xe9, 0x42, 0xe8, 0x5d, 0xc8, - 0x74, 0x5a, 0x87, 0xcd, 0xf6, 0xe1, 0x7e, 0x31, 0x51, 0xda, 0xbc, 0xb8, 0xac, 0xbc, 0x2a, 0x75, - 0x4c, 0x01, 0x1d, 0xea, 0xd9, 0x8e, 0x37, 0x40, 0xdb, 0x90, 0xad, 0xef, 0xed, 0xb5, 0x3a, 0xc7, - 0xad, 0x66, 0x31, 0x59, 0x2a, 0x5d, 0x5c, 0x56, 0x5e, 0x9b, 0x07, 0xd6, 0x2d, 0x8b, 0xfa, 0x82, - 0xda, 0xa5, 0xd4, 0xb7, 0x7f, 0x2c, 0x27, 0xaa, 0xdf, 0x26, 0x21, 0x3f, 0x6b, 0x04, 0x7a, 0x17, - 0xd2, 0xf5, 0xbd, 0xe3, 0xf6, 0x49, 0xab, 0x98, 0x98, 0xd2, 0x67, 0x11, 0x75, 0x4b, 0x38, 0xe7, - 0x14, 0xdd, 0x87, 0xb5, 0x4e, 0xfd, 0xab, 0x6e, 0xab, 0x98, 0x9c, 0x9a, 0x33, 0x0b, 0xeb, 0x90, - 0x71, 0xa0, 0x50, 0x4d, 0x5c, 0x6f, 0x1f, 0x16, 0x57, 0x16, 0xa3, 0x9a, 0x9c, 0x38, 0x9e, 0x36, - 0xe5, 0xcf, 0x6b, 0x60, 0x74, 0x29, 0x3f, 0x77, 0xac, 0x97, 0x1c, 0x22, 0x1f, 0x41, 0x4a, 0x90, - 0xe0, 0x4c, 0x85, 0x86, 0xb1, 0x38, 0x34, 0x8e, 0x49, 0x70, 0x26, 0x17, 0xd5, 0x74, 0x85, 0x97, - 0x91, 0xc1, 0xa9, 0xef, 0x3a, 0x16, 0x11, 0xd4, 0x56, 0x91, 0x61, 0xec, 0xbe, 0xb3, 0x88, 0x8d, - 0x63, 0x94, 0xb6, 0xff, 0x20, 0x81, 0x67, 0xa8, 0xe8, 0x33, 0x48, 0x0f, 0x5c, 0xd6, 0x27, 0xae, - 0x8a, 0x09, 0x63, 0xf7, 0xad, 0x45, 0x4a, 0xf6, 0x15, 0x62, 0xaa, 0x40, 0x53, 0xd0, 0x97, 0xb0, - 0x3e, 0x55, 0xd5, 0xfb, 0x0d, 0xeb, 0x9b, 0xb0, 0x5c, 0xc9, 0xd4, 0x92, 0x2f, 0x59, 0xff, 0x20, - 0x81, 0x0b, 0x7c, 0x56, 0x80, 0x7e, 0x06, 0x10, 0x6a, 0x55, 0x7a, 0x0c, 0xa5, 0xe7, 0xcd, 0xe5, - 0xc6, 0x84, 0x3a, 0x72, 0x83, 0x68, 0x82, 0x3e, 0x86, 0xf4, 0xd8, 0xb7, 0x89, 0xa0, 0x66, 0x5a, - 0x71, 0x2b, 0x8b, 0xb8, 0x5f, 0x29, 0xc4, 0x1e, 0xf3, 0x4e, 0x9d, 0x01, 0xd6, 0x78, 0xf4, 0x53, - 0xc8, 0x72, 0xe6, 0xba, 0x7d, 0x62, 0x9d, 0x99, 0xb9, 0x17, 0xe4, 0xc6, 0x0c, 0xf4, 0x00, 0xb2, - 0x1e, 0x15, 0x5f, 0x33, 0x7e, 0x16, 0x98, 0x99, 0xca, 0xea, 0xb6, 0xb1, 0xfb, 0xc1, 0xc2, 0xb4, - 0x0a, 0x31, 0x75, 0x21, 0x88, 0x35, 0x1c, 0x51, 0x4f, 0x84, 0x8a, 0x1a, 0x2b, 0x66, 0x12, 0xc7, - 0x0a, 0xa4, 0x29, 0xd4, 0xb3, 0x7d, 0xe6, 0x78, 0xc2, 0xcc, 0x2e, 0x37, 0xa5, 0xa5, 0x31, 0x32, - 0x2c, 0x70, 0xcc, 0x68, 0xa4, 0x21, 0x35, 0x62, 0x36, 0xad, 0xee, 0xc0, 0xc6, 0x33, 0xc7, 0x8e, - 0x4a, 0x90, 0xd5, 0x1b, 0x1e, 0xc6, 0x6b, 0x0a, 0xc7, 0xf3, 0xea, 0x1d, 0x28, 0xcc, 0x1d, 0x71, - 0xd5, 0x82, 0xc2, 0xdc, 0x71, 0xa1, 0x77, 0x60, 0x7d, 0x44, 0xbe, 0xe9, 0x59, 0xcc, 0xb3, 0xc6, - 0x9c, 0x53, 0x4f, 0x68, 0x1d, 0x85, 0x11, 0xf9, 0x66, 0x2f, 0x16, 0xa2, 0x0f, 0x60, 0x43, 0x30, - 0x41, 0xdc, 0x9e, 0xc5, 0x46, 0xbe, 0x4b, 0xc3, 0xec, 0x58, 0x51, 0xc8, 0xa2, 0xfa, 0xb0, 0x37, - 0x95, 0x57, 0x0d, 0xc8, 0xc5, 0x67, 0x59, 0xfd, 0xcb, 0x1a, 0x64, 0xa3, 0x48, 0x47, 0x0f, 0x00, - 0x48, 0xbc, 0x51, 0x7a, 0x23, 0xde, 0x7b, 0xa1, 0x5d, 0x95, 0x74, 0x19, 0xe1, 0x53, 0x3a, 0xaa, - 0x43, 0xce, 0x62, 0x9e, 0x20, 0x8e, 0x47, 0xb9, 0xce, 0xd4, 0x85, 0xf1, 0xb9, 0x17, 0x81, 0xb4, - 0x8e, 0x29, 0x0b, 0x35, 0x20, 0x33, 0xa0, 0x1e, 0xe5, 0x8e, 0xa5, 0x03, 0xfc, 0xdd, 0x85, 0x81, - 0x19, 0x42, 0xf0, 0xd8, 0x13, 0xce, 0x88, 0x6a, 0x2d, 0x11, 0x11, 0x7d, 0x01, 0x39, 0x4e, 0x03, - 0x36, 0xe6, 0x16, 0x0d, 0x74, 0xba, 0x6f, 0x2f, 0x4e, 0x93, 0x10, 0x84, 0xe9, 0x6f, 0xc7, 0x0e, - 0xa7, 0xd2, 0x85, 0x00, 0x4f, 0xa9, 0xe8, 0x33, 0xc8, 0x70, 0x1a, 0x08, 0xc2, 0xc5, 0xf3, 0x32, - 0x16, 0x87, 0x90, 0x0e, 0x73, 0x1d, 0x6b, 0x82, 0x23, 0x06, 0xfa, 0x0c, 0x72, 0xbe, 0x4b, 0x2c, - 0xa5, 0xd5, 0x5c, 0x5b, 0x9e, 0x63, 0x9d, 0x08, 0x84, 0xa7, 0x78, 0xf4, 0x09, 0x80, 0xcb, 0x06, - 0x3d, 0x9b, 0x3b, 0xe7, 0x94, 0xeb, 0x2c, 0x2b, 0x2d, 0x62, 0x37, 0x15, 0x02, 0xe7, 0x5c, 0x36, - 0x08, 0x87, 0x68, 0xff, 0xbf, 0x4a, 0x92, 0x99, 0x04, 0x79, 0x0b, 0xf2, 0xa7, 0x8c, 0x5b, 0xb4, - 0xa7, 0x73, 0x3d, 0xa7, 0x62, 0xcb, 0x50, 0xb2, 0x30, 0x41, 0xd1, 0xaf, 0xe1, 0x95, 0x68, 0xb7, - 0x7a, 0x9c, 0x9e, 0x52, 0x4e, 0x3d, 0xb9, 0xe5, 0x86, 0x5a, 0xf6, 0x9d, 0xe7, 0x6f, 0xb9, 0x46, - 0xeb, 0x52, 0x8b, 0xf8, 0xcd, 0x0f, 0x41, 0x23, 0x07, 0x19, 0x1e, 0x1e, 0x70, 0xf5, 0xf7, 0x49, - 0x99, 0x67, 0x37, 0x10, 0x68, 0x07, 0x8c, 0x78, 0x79, 0xc7, 0x56, 0x01, 0x97, 0x6b, 0xac, 0x5f, - 0x5f, 0x6d, 0x41, 0x84, 0x6d, 0x37, 0x65, 0x05, 0xd6, 0x63, 0x1b, 0xb5, 0xa0, 0x10, 0x13, 0x64, - 0x13, 0xa4, 0xdb, 0x84, 0xca, 0xf3, 0x2c, 0x3d, 0x9e, 0xf8, 0x14, 0xe7, 0xf9, 0xcc, 0xac, 0xfa, - 0x2b, 0x40, 0xcf, 0x06, 0x20, 0x42, 0x90, 0x3a, 0x73, 0x3c, 0x6d, 0x06, 0x56, 0x63, 0x54, 0x83, - 0x8c, 0x4f, 0x26, 0x2e, 0x23, 0xb6, 0x8e, 0xc3, 0xbb, 0xb5, 0xb0, 0x3d, 0xaa, 0x45, 0xed, 0x51, - 0xad, 0xee, 0x4d, 0x70, 0x04, 0xaa, 0x3e, 0x80, 0x57, 0x17, 0xe6, 0x19, 0xda, 0x85, 0x7c, 0x9c, - 0x23, 0x53, 0x5f, 0xef, 0x5c, 0x5f, 0x6d, 0x19, 0x71, 0x32, 0xb5, 0x9b, 0xd8, 0x88, 0x41, 0x6d, - 0xbb, 0x7a, 0x51, 0x80, 0xc2, 0x5c, 0xa6, 0xa1, 0xbb, 0xb0, 0xe6, 0x8c, 0xc8, 0x80, 0x6a, 0x1b, - 0xc3, 0x09, 0x6a, 0x41, 0xda, 0x25, 0x7d, 0xea, 0xca, 0x5c, 0x91, 0x07, 0xf7, 0xff, 0xb7, 0xa6, - 0x6c, 0xed, 0xa1, 0xc2, 0xb7, 0x3c, 0xc1, 0x27, 0x58, 0x93, 0x91, 0x09, 0x19, 0x8b, 0x8d, 0x46, - 0xc4, 0x93, 0x97, 0xe4, 0xea, 0x76, 0x0e, 0x47, 0x53, 0xb9, 0x33, 0x84, 0x0f, 0x02, 0x33, 0xa5, - 0xc4, 0x6a, 0x2c, 0x6b, 0xe4, 0x90, 0x05, 0xc2, 0x23, 0x23, 0x6a, 0xae, 0x2b, 0x6b, 0xe2, 0x39, - 0x2a, 0xc2, 0x2a, 0xf5, 0xce, 0xcd, 0x35, 0x05, 0x97, 0x43, 0x29, 0xb1, 0x9d, 0x30, 0x11, 0x72, - 0x58, 0x0e, 0xa5, 0xce, 0x71, 0x40, 0xb9, 0x99, 0x09, 0x77, 0x5b, 0x8e, 0xd1, 0x6b, 0x90, 0x1e, - 0x70, 0x36, 0xf6, 0xc3, 0x08, 0xcc, 0x61, 0x3d, 0x93, 0xf7, 0x9d, 0xcf, 0x9d, 0x73, 0xc7, 0xa5, - 0x03, 0x1a, 0x98, 0xaf, 0xa9, 0x83, 0x28, 0x2f, 0xcc, 0xc5, 0x18, 0x85, 0x67, 0x18, 0xa8, 0x06, - 0x29, 0xc7, 0x73, 0x84, 0xf9, 0xba, 0xce, 0xc3, 0x9b, 0x47, 0xd8, 0x60, 0xcc, 0x3d, 0x21, 0xee, - 0x98, 0x62, 0x85, 0x43, 0x9b, 0xb0, 0x2a, 0xc4, 0xc4, 0x2c, 0x54, 0x92, 0xdb, 0xd9, 0x46, 0xe6, - 0xfa, 0x6a, 0x6b, 0xf5, 0xf8, 0xf8, 0x31, 0x96, 0x32, 0xf4, 0x26, 0x00, 0xf3, 0xa9, 0xd7, 0x0b, - 0x84, 0xed, 0x78, 0x26, 0x92, 0x08, 0x9c, 0x93, 0x92, 0xae, 0x14, 0xa0, 0x7b, 0xb2, 0x72, 0x11, - 0xbb, 0xc7, 0x3c, 0x77, 0x62, 0xbe, 0xa2, 0xbe, 0x66, 0xa5, 0xe0, 0xc8, 0x73, 0x27, 0x68, 0x0b, - 0x8c, 0x40, 0x30, 0xbf, 0x17, 0x38, 0x03, 0x8f, 0xb8, 0xe6, 0x5d, 0xe5, 0x39, 0x48, 0x51, 0x57, - 0x49, 0xd0, 0x4f, 0x20, 0x3d, 0x62, 0x63, 0x4f, 0x04, 0x66, 0x56, 0x1d, 0xe4, 0xe6, 0x22, 0x1f, - 0x1f, 0x49, 0x84, 0xce, 0x3a, 0x0d, 0x47, 0x2d, 0xd8, 0x50, 0x9a, 0x07, 0x9c, 0x58, 0xb4, 0xe7, - 0x53, 0xee, 0x30, 0x5b, 0xdf, 0xcf, 0x9b, 0xcf, 0x78, 0xdb, 0xd4, 0x4f, 0x01, 0x7c, 0x47, 0x72, - 0xf6, 0x25, 0xa5, 0xa3, 0x18, 0xa8, 0x03, 0x79, 0x7f, 0xec, 0xba, 0x3d, 0xe6, 0x87, 0xb7, 0x51, - 0x58, 0xc0, 0x5f, 0x20, 0x9c, 0x3a, 0x63, 0xd7, 0x3d, 0x0a, 0x49, 0xd8, 0xf0, 0xa7, 0x13, 0xf4, - 0x39, 0x64, 0x02, 0x6a, 0x71, 0x2a, 0x02, 0x33, 0xaf, 0x5c, 0x7a, 0x7b, 0x91, 0xb2, 0xae, 0x82, - 0xc4, 0x75, 0x01, 0x47, 0x1c, 0x49, 0xb7, 0x54, 0x59, 0x0b, 0xcc, 0x57, 0x97, 0xd3, 0x75, 0xe5, - 0x9b, 0xd2, 0x35, 0x47, 0xa6, 0x8b, 0x8c, 0xc9, 0xc0, 0xdc, 0x50, 0xe1, 0x14, 0x4e, 0xd0, 0x63, - 0x00, 0xdb, 0x0b, 0x7a, 0x21, 0xc8, 0xbc, 0xa3, 0x7c, 0xfc, 0xe0, 0x76, 0x1f, 0x9b, 0x87, 0x5d, - 0xdd, 0x87, 0x14, 0xae, 0xaf, 0xb6, 0x72, 0xf1, 0x14, 0xe7, 0x6c, 0x2f, 0x08, 0x87, 0xa8, 0x01, - 0xc6, 0x90, 0x12, 0x57, 0x0c, 0xad, 0x21, 0xb5, 0xce, 0xcc, 0xe2, 0xf2, 0xb6, 0xe4, 0x40, 0xc1, - 0xb4, 0x86, 0x59, 0x12, 0x6a, 0x43, 0xce, 0x09, 0x98, 0xab, 0x8e, 0xc8, 0x34, 0x55, 0x7d, 0x7b, - 0x01, 0xeb, 0xda, 0x11, 0x05, 0x4f, 0xd9, 0xe8, 0x0d, 0xc8, 0xf9, 0x8e, 0x1d, 0x3c, 0x74, 0x46, - 0x8e, 0x30, 0x37, 0x2b, 0xc9, 0xed, 0x55, 0x3c, 0x15, 0xa0, 0x03, 0xc8, 0x04, 0x93, 0xc0, 0x12, - 0x6e, 0x60, 0x96, 0xd4, 0xe6, 0xd6, 0x6e, 0x5f, 0xa6, 0x1b, 0x12, 0xc2, 0xc2, 0x11, 0xd1, 0x51, - 0x15, 0xf2, 0x16, 0xf1, 0xc3, 0xb7, 0x80, 0x43, 0x03, 0xf3, 0x9e, 0xda, 0xee, 0x39, 0x59, 0xe9, - 0x13, 0x30, 0x66, 0x8a, 0x8e, 0x2c, 0x08, 0x67, 0x74, 0xa2, 0xeb, 0x98, 0x1c, 0xca, 0xc3, 0x3a, - 0x97, 0x39, 0xa8, 0x0a, 0x6d, 0x0e, 0x87, 0x93, 0x4f, 0x57, 0x3e, 0x4e, 0x96, 0x76, 0xc1, 0x98, - 0x09, 0x30, 0xf4, 0xb6, 0xbc, 0x04, 0x06, 0x4e, 0x20, 0xf8, 0xa4, 0x47, 0xc6, 0x62, 0x68, 0xfe, - 0x42, 0x11, 0xf2, 0x91, 0xb0, 0x3e, 0x16, 0xc3, 0x52, 0x0f, 0xa6, 0x27, 0x84, 0x2a, 0x60, 0xc8, - 0xba, 0x14, 0x50, 0x7e, 0x4e, 0xb9, 0x6c, 0xe9, 0xa4, 0x79, 0xb3, 0x22, 0x59, 0x79, 0x02, 0x4a, - 0xb8, 0x35, 0x54, 0x25, 0x34, 0x87, 0xf5, 0x4c, 0xd6, 0xc4, 0x28, 0x19, 0x74, 0x4d, 0xd4, 0xd3, - 0xd2, 0xa7, 0x90, 0x9f, 0xdd, 0x8c, 0xff, 0xc4, 0xa1, 0xea, 0x5f, 0x93, 0x90, 0x8b, 0x0f, 0x0c, - 0x7d, 0x08, 0x1b, 0xed, 0xee, 0xd1, 0xc3, 0xfa, 0x71, 0xfb, 0xe8, 0xb0, 0xd7, 0x6c, 0x7d, 0x51, - 0xff, 0xea, 0xe1, 0x71, 0x31, 0x51, 0x7a, 0xf3, 0xe2, 0xb2, 0xb2, 0x39, 0xbd, 0x1b, 0x22, 0x78, - 0x93, 0x9e, 0x92, 0xb1, 0x2b, 0xe6, 0x59, 0x1d, 0x7c, 0xb4, 0xd7, 0xea, 0x76, 0x8b, 0xc9, 0x65, - 0xac, 0x0e, 0x67, 0x16, 0x0d, 0x02, 0xb4, 0x0b, 0xc5, 0x29, 0xeb, 0xe0, 0x71, 0xa7, 0x85, 0x4f, - 0x8a, 0x2b, 0xa5, 0x37, 0x2e, 0x2e, 0x2b, 0xe6, 0xb3, 0xa4, 0x83, 0x89, 0x4f, 0xf9, 0x89, 0x7e, - 0xd6, 0xfd, 0x23, 0x09, 0xf9, 0xd9, 0x5e, 0x1a, 0xed, 0x85, 0x1d, 0xb4, 0xf2, 0x78, 0x7d, 0x77, - 0xe7, 0xb6, 0xde, 0x5b, 0xdd, 0xc7, 0xee, 0x58, 0xea, 0x7d, 0x24, 0x1f, 0xf0, 0x8a, 0x8c, 0x3e, - 0x84, 0x35, 0x9f, 0x71, 0x11, 0xdd, 0x5c, 0x8b, 0x8b, 0x3a, 0xe3, 0x51, 0x73, 0x13, 0x82, 0xab, - 0x43, 0x58, 0x9f, 0xd7, 0x86, 0xee, 0xc3, 0xea, 0x49, 0xbb, 0x53, 0x4c, 0x94, 0xee, 0x5d, 0x5c, - 0x56, 0x5e, 0x9f, 0xff, 0x78, 0xe2, 0x70, 0x31, 0x26, 0x6e, 0xbb, 0x83, 0xde, 0x87, 0xb5, 0xe6, - 0x61, 0x17, 0xe3, 0x62, 0xb2, 0xb4, 0x75, 0x71, 0x59, 0xb9, 0x37, 0x8f, 0x93, 0x9f, 0xd8, 0xd8, - 0xb3, 0x31, 0xeb, 0xc7, 0x8f, 0xd9, 0x7f, 0xae, 0x80, 0xa1, 0x2f, 0xf4, 0x97, 0xfd, 0xbf, 0xa3, - 0x10, 0x36, 0x87, 0x51, 0x1d, 0x5a, 0xb9, 0xb5, 0x47, 0xcc, 0x87, 0x04, 0x1d, 0xd3, 0x6f, 0x41, - 0xde, 0xf1, 0xcf, 0x3f, 0xea, 0x51, 0x8f, 0xf4, 0x5d, 0xfd, 0xae, 0xcd, 0x62, 0x43, 0xca, 0x5a, - 0xa1, 0x48, 0x5e, 0xd1, 0x8e, 0x27, 0x28, 0xf7, 0xf4, 0x8b, 0x35, 0x8b, 0xe3, 0x39, 0xfa, 0x1c, - 0x52, 0x8e, 0x4f, 0x46, 0xba, 0xb1, 0x5d, 0xe8, 0x41, 0xbb, 0x53, 0x7f, 0xa4, 0x73, 0xae, 0x91, - 0xbd, 0xbe, 0xda, 0x4a, 0x49, 0x01, 0x56, 0x34, 0x54, 0x8e, 0x5e, 0x1d, 0x72, 0x25, 0x75, 0xad, - 0x67, 0xf1, 0x8c, 0x44, 0xe6, 0x8d, 0xe3, 0x0d, 0x38, 0x0d, 0x02, 0x75, 0xc1, 0x67, 0x71, 0x34, - 0x45, 0x25, 0xc8, 0xe8, 0x0e, 0x55, 0x3d, 0x56, 0x72, 0xb2, 0xef, 0xd7, 0x82, 0x46, 0x01, 0x8c, - 0x70, 0x37, 0x7a, 0xa7, 0x9c, 0x8d, 0xaa, 0xff, 0x4a, 0x81, 0xb1, 0xe7, 0x8e, 0x03, 0xa1, 0xbb, - 0x9f, 0x97, 0xb6, 0xf9, 0x8f, 0x61, 0x83, 0xa8, 0xff, 0x27, 0xc4, 0x93, 0xd7, 0xa5, 0x6a, 0xfc, - 0xf5, 0x01, 0xdc, 0x5f, 0xa8, 0x2e, 0x06, 0x87, 0x8f, 0x84, 0x46, 0x5a, 0xea, 0x34, 0x93, 0xb8, - 0x48, 0x6e, 0x7c, 0x41, 0x5d, 0x28, 0x30, 0x6e, 0x0d, 0x69, 0x20, 0xc2, 0x4b, 0x56, 0xff, 0x6f, - 0x58, 0xf8, 0x27, 0xea, 0x68, 0x16, 0xa8, 0xef, 0x96, 0xd0, 0xda, 0x79, 0x1d, 0xe8, 0x63, 0x48, - 0x71, 0x72, 0x1a, 0x3d, 0x62, 0x16, 0x26, 0x09, 0x26, 0xa7, 0x62, 0x4e, 0x85, 0x62, 0xa0, 0x2f, - 0x01, 0x6c, 0x27, 0xf0, 0x89, 0xb0, 0x86, 0x94, 0xeb, 0xc3, 0x5e, 0xe8, 0x62, 0x33, 0x46, 0xcd, - 0x69, 0x99, 0x61, 0xa3, 0x07, 0x90, 0xb3, 0x48, 0x14, 0xae, 0xe9, 0xe5, 0x3f, 0x61, 0xf6, 0xea, - 0x5a, 0x45, 0x51, 0xaa, 0xb8, 0xbe, 0xda, 0xca, 0x46, 0x12, 0x9c, 0xb5, 0x88, 0x0e, 0xdf, 0x07, - 0x50, 0x10, 0x24, 0x38, 0xeb, 0xd9, 0x61, 0x39, 0x0b, 0xc3, 0x64, 0xc9, 0x5d, 0x29, 0xdf, 0xba, - 0xba, 0xec, 0x45, 0xc7, 0x99, 0x17, 0x33, 0x32, 0xf4, 0x4b, 0xd8, 0xa0, 0x9e, 0xc5, 0x27, 0x2a, - 0x58, 0x23, 0x0b, 0xb3, 0xcb, 0x9d, 0x6d, 0xc5, 0xe0, 0x39, 0x67, 0x8b, 0xf4, 0x86, 0xbc, 0xfa, - 0xb7, 0x24, 0x40, 0xd8, 0x9c, 0xbc, 0xdc, 0x00, 0x44, 0x90, 0xb2, 0x89, 0x20, 0x2a, 0xe6, 0xf2, - 0x58, 0x8d, 0xd1, 0xa7, 0x00, 0x82, 0x8e, 0x7c, 0x59, 0x7a, 0xbd, 0x81, 0x0e, 0x9b, 0xe7, 0x95, - 0x83, 0x19, 0x34, 0xda, 0x85, 0xb4, 0x7e, 0x6a, 0xa6, 0x6e, 0xe5, 0x69, 0x64, 0xf5, 0x4f, 0x49, - 0x80, 0xd0, 0xcd, 0xff, 0x69, 0xdf, 0x1a, 0xf7, 0x9f, 0xfc, 0x50, 0x4e, 0x7c, 0xff, 0x43, 0x39, - 0xf1, 0xbb, 0xeb, 0x72, 0xf2, 0xc9, 0x75, 0x39, 0xf9, 0xdd, 0x75, 0x39, 0xf9, 0xf7, 0xeb, 0x72, - 0xf2, 0x0f, 0x4f, 0xcb, 0x89, 0xef, 0x9e, 0x96, 0x13, 0xdf, 0x3f, 0x2d, 0x27, 0xfa, 0x69, 0xd5, - 0xde, 0xfe, 0xf8, 0xdf, 0x01, 0x00, 0x00, 0xff, 0xff, 0x91, 0x6d, 0x50, 0x31, 0x7b, 0x17, 0x00, - 0x00, + // 2311 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0x4d, 0x73, 0x1b, 0xc7, + 0xd1, 0x06, 0x48, 0x10, 0x1f, 0xbd, 0x00, 0x05, 0x8e, 0x65, 0x7b, 0x09, 0xc9, 0x20, 0x0c, 0xcb, + 0x36, 0x6d, 0xd7, 0x0b, 0xd6, 0xcb, 0xb8, 0x1c, 0x7f, 0xc4, 0x49, 0x00, 0x02, 0x96, 0x60, 0x49, + 0x14, 0x6a, 0x40, 0x2b, 0x51, 0x55, 0xaa, 0x50, 0x83, 0xdd, 0x21, 0xb0, 0xe1, 0x62, 0x67, 0x33, + 0x3b, 0xa0, 0x8d, 0x5b, 0x8e, 0x2e, 0xe6, 0x92, 0x3f, 0xc0, 0x53, 0x2a, 0xa7, 0x5c, 0x92, 0x4b, + 0x7e, 0x83, 0x8f, 0x3e, 0x3a, 0x17, 0x56, 0x4c, 0xff, 0x84, 0xdc, 0x72, 0x49, 0x6a, 0x66, 0x67, + 0x17, 0x0b, 0x0a, 0x10, 0x95, 0x8a, 0x0e, 0xb9, 0xcd, 0xf4, 0x3e, 0x4f, 0x4f, 0xf7, 0x4c, 0x77, + 0x4f, 0xcf, 0xc2, 0xbb, 0x23, 0x47, 0x8c, 0xa7, 0xc3, 0x86, 0xc5, 0x26, 0x7b, 0x36, 0xb3, 0x4e, + 0x28, 0xdf, 0x0b, 0xbe, 0x24, 0x7c, 0x72, 0xe2, 0x88, 0x3d, 0xe2, 0x3b, 0x7b, 0x81, 0x4f, 0xad, + 0xa0, 0xe1, 0x73, 0x26, 0x18, 0x42, 0x21, 0xa0, 0x11, 0x01, 0x1a, 0xa7, 0xff, 0x5f, 0xb9, 0x8e, + 0x2f, 0x66, 0x3e, 0xd5, 0xfc, 0xca, 0xcd, 0x11, 0x1b, 0x31, 0x35, 0xdc, 0x93, 0x23, 0x2d, 0xad, + 0x8e, 0x18, 0x1b, 0xb9, 0x74, 0x4f, 0xcd, 0x86, 0xd3, 0xe3, 0x3d, 0x7b, 0xca, 0x89, 0x70, 0x98, + 0xa7, 0xbf, 0x6f, 0x5f, 0xfd, 0x4e, 0xbc, 0xd9, 0x2a, 0xea, 0x97, 0x9c, 0xf8, 0x3e, 0xe5, 0x7a, + 0xc1, 0xfa, 0x79, 0x06, 0xf2, 0x87, 0xcc, 0xa6, 0x7d, 0x9f, 0x5a, 0xe8, 0x2e, 0x18, 0xc4, 0xf3, + 0x98, 0x50, 0xba, 0x03, 0x33, 0x5d, 0x4b, 0xef, 0x1a, 0xfb, 0x3b, 0x8d, 0xa7, 0x7d, 0x6a, 0x34, + 0xe7, 0xb0, 0x56, 0xe6, 0x9b, 0x8b, 0x9d, 0x14, 0x4e, 0x32, 0xd1, 0xcf, 0xa0, 0x68, 0xd3, 0xc0, + 0xe1, 0xd4, 0x1e, 0x70, 0xe6, 0x52, 0x73, 0xad, 0x96, 0xde, 0xdd, 0xdc, 0xbf, 0xbd, 0x4c, 0x93, + 0x5c, 0x1c, 0x33, 0x97, 0x62, 0x43, 0x33, 0xe4, 0x04, 0xdd, 0x05, 0x98, 0xd0, 0xc9, 0x90, 0xf2, + 0x60, 0xec, 0xf8, 0xe6, 0xba, 0xa2, 0xbf, 0xbd, 0x8a, 0x2e, 0x6d, 0x6f, 0x3c, 0x8c, 0xe1, 0x38, + 0x41, 0x45, 0x0f, 0xa1, 0x48, 0x4e, 0x89, 0xe3, 0x92, 0xa1, 0xe3, 0x3a, 0x62, 0x66, 0x66, 0x94, + 0xaa, 0x77, 0x9e, 0xa9, 0xaa, 0x99, 0x20, 0xe0, 0x05, 0x7a, 0xdd, 0x06, 0x98, 0x2f, 0x84, 0xde, + 0x82, 0x5c, 0xaf, 0x73, 0xd8, 0xee, 0x1e, 0xde, 0x2d, 0xa7, 0x2a, 0xdb, 0x67, 0xe7, 0xb5, 0x97, + 0xa5, 0x8e, 0x39, 0xa0, 0x47, 0x3d, 0xdb, 0xf1, 0x46, 0x68, 0x17, 0xf2, 0xcd, 0x83, 0x83, 0x4e, + 0xef, 0xa8, 0xd3, 0x2e, 0xa7, 0x2b, 0x95, 0xb3, 0xf3, 0xda, 0x2b, 0x8b, 0xc0, 0xa6, 0x65, 0x51, + 0x5f, 0x50, 0xbb, 0x92, 0xf9, 0xfa, 0x0f, 0xd5, 0x54, 0xfd, 0xeb, 0x34, 0x14, 0x93, 0x46, 0xa0, + 0xb7, 0x20, 0xdb, 0x3c, 0x38, 0xea, 0x3e, 0xee, 0x94, 0x53, 0x73, 0x7a, 0x12, 0xd1, 0xb4, 0x84, + 0x73, 0x4a, 0xd1, 0x1d, 0xd8, 0xe8, 0x35, 0xbf, 0xe8, 0x77, 0xca, 0xe9, 0xb9, 0x39, 0x49, 0x58, + 0x8f, 0x4c, 0x03, 0x85, 0x6a, 0xe3, 0x66, 0xf7, 0xb0, 0xbc, 0xb6, 0x1c, 0xd5, 0xe6, 0xc4, 0xf1, + 0xb4, 0x29, 0x7f, 0xda, 0x00, 0xa3, 0x4f, 0xf9, 0xa9, 0x63, 0xbd, 0xe0, 0x10, 0xf9, 0x00, 0x32, + 0x82, 0x04, 0x27, 0x2a, 0x34, 0x8c, 0xe5, 0xa1, 0x71, 0x44, 0x82, 0x13, 0xb9, 0xa8, 0xa6, 0x2b, + 0xbc, 0x8c, 0x0c, 0x4e, 0x7d, 0xd7, 0xb1, 0x88, 0xa0, 0xb6, 0x8a, 0x0c, 0x63, 0xff, 0xcd, 0x65, + 0x6c, 0x1c, 0xa3, 0xb4, 0xfd, 0xf7, 0x52, 0x38, 0x41, 0x45, 0x9f, 0x40, 0x76, 0xe4, 0xb2, 0x21, + 0x71, 0x55, 0x4c, 0x18, 0xfb, 0xaf, 0x2f, 0x53, 0x72, 0x57, 0x21, 0xe6, 0x0a, 0x34, 0x05, 0x7d, + 0x0e, 0x9b, 0x73, 0x55, 0x83, 0x5f, 0xb3, 0xa1, 0x09, 0xab, 0x95, 0xcc, 0x2d, 0xf9, 0x9c, 0x0d, + 0xef, 0xa5, 0x70, 0x89, 0x27, 0x05, 0xe8, 0xa7, 0x00, 0xa1, 0x56, 0xa5, 0xc7, 0x50, 0x7a, 0x5e, + 0x5b, 0x6d, 0x4c, 0xa8, 0xa3, 0x30, 0x8a, 0x26, 0xe8, 0x43, 0xc8, 0x4e, 0x7d, 0x9b, 0x08, 0x6a, + 0x66, 0x15, 0xb7, 0xb6, 0x8c, 0xfb, 0x85, 0x42, 0x1c, 0x30, 0xef, 0xd8, 0x19, 0x61, 0x8d, 0x47, + 0x3f, 0x81, 0x3c, 0x67, 0xae, 0x3b, 0x24, 0xd6, 0x89, 0x59, 0x78, 0x4e, 0x6e, 0xcc, 0x40, 0xf7, + 0x21, 0xef, 0x51, 0xf1, 0x25, 0xe3, 0x27, 0x81, 0x99, 0xab, 0xad, 0xef, 0x1a, 0xfb, 0xef, 0x2d, + 0x4d, 0xab, 0x10, 0xd3, 0x14, 0x82, 0x58, 0xe3, 0x09, 0xf5, 0x44, 0xa8, 0xa8, 0xb5, 0x66, 0xa6, + 0x71, 0xac, 0x40, 0x9a, 0x42, 0x3d, 0xdb, 0x67, 0x8e, 0x27, 0xcc, 0xfc, 0x6a, 0x53, 0x3a, 0x1a, + 0x23, 0xc3, 0x02, 0xc7, 0x8c, 0x56, 0x16, 0x32, 0x13, 0x66, 0xd3, 0xfa, 0x1e, 0x6c, 0x3d, 0x75, + 0xec, 0xa8, 0x02, 0x79, 0xbd, 0xe1, 0x61, 0xbc, 0x66, 0x70, 0x3c, 0xaf, 0xdf, 0x80, 0xd2, 0xc2, + 0x11, 0xd7, 0x2d, 0x28, 0x2d, 0x1c, 0x17, 0x7a, 0x13, 0x36, 0x27, 0xe4, 0xab, 0x81, 0xc5, 0x3c, + 0x6b, 0xca, 0x39, 0xf5, 0x84, 0xd6, 0x51, 0x9a, 0x90, 0xaf, 0x0e, 0x62, 0x21, 0x7a, 0x0f, 0xb6, + 0x04, 0x13, 0xc4, 0x1d, 0x58, 0x6c, 0xe2, 0xbb, 0x34, 0xcc, 0x8e, 0x35, 0x85, 0x2c, 0xab, 0x0f, + 0x07, 0x73, 0x79, 0xdd, 0x80, 0x42, 0x7c, 0x96, 0xf5, 0x3f, 0x6f, 0x40, 0x3e, 0x8a, 0x74, 0x74, + 0x1f, 0x80, 0xc4, 0x1b, 0xa5, 0x37, 0xe2, 0x9d, 0xe7, 0xda, 0x55, 0x49, 0x97, 0x11, 0x3e, 0xa7, + 0xa3, 0x26, 0x14, 0x2c, 0xe6, 0x09, 0xe2, 0x78, 0x94, 0xeb, 0x4c, 0x5d, 0x1a, 0x9f, 0x07, 0x11, + 0x48, 0xeb, 0x98, 0xb3, 0x50, 0x0b, 0x72, 0x23, 0xea, 0x51, 0xee, 0x58, 0x3a, 0xc0, 0xdf, 0x5a, + 0x1a, 0x98, 0x21, 0x04, 0x4f, 0x3d, 0xe1, 0x4c, 0xa8, 0xd6, 0x12, 0x11, 0xd1, 0x67, 0x50, 0xe0, + 0x34, 0x60, 0x53, 0x6e, 0xd1, 0x40, 0xa7, 0xfb, 0xee, 0xf2, 0x34, 0x09, 0x41, 0x98, 0xfe, 0x66, + 0xea, 0x70, 0x2a, 0x5d, 0x08, 0xf0, 0x9c, 0x8a, 0x3e, 0x81, 0x1c, 0xa7, 0x81, 0x20, 0x5c, 0x3c, + 0x2b, 0x63, 0x71, 0x08, 0xe9, 0x31, 0xd7, 0xb1, 0x66, 0x38, 0x62, 0xa0, 0x4f, 0xa0, 0xe0, 0xbb, + 0xc4, 0x52, 0x5a, 0xcd, 0x8d, 0xd5, 0x39, 0xd6, 0x8b, 0x40, 0x78, 0x8e, 0x47, 0x1f, 0x01, 0xb8, + 0x6c, 0x34, 0xb0, 0xb9, 0x73, 0x4a, 0xb9, 0xce, 0xb2, 0xca, 0x32, 0x76, 0x5b, 0x21, 0x70, 0xc1, + 0x65, 0xa3, 0x70, 0x88, 0xee, 0xfe, 0x57, 0x49, 0x92, 0x48, 0x90, 0xd7, 0xa1, 0x78, 0xcc, 0xb8, + 0x45, 0x07, 0x3a, 0xd7, 0x0b, 0x2a, 0xb6, 0x0c, 0x25, 0x0b, 0x13, 0x14, 0xfd, 0x0a, 0x5e, 0x8a, + 0x76, 0x6b, 0xc0, 0xe9, 0x31, 0xe5, 0xd4, 0x93, 0x5b, 0x6e, 0xa8, 0x65, 0xdf, 0x7c, 0xf6, 0x96, + 0x6b, 0xb4, 0x2e, 0xb5, 0x88, 0x5f, 0xfd, 0x10, 0xb4, 0x0a, 0x90, 0xe3, 0xe1, 0x01, 0xd7, 0x7f, + 0x97, 0x96, 0x79, 0x76, 0x05, 0x81, 0xf6, 0xc0, 0x88, 0x97, 0x77, 0x6c, 0x15, 0x70, 0x85, 0xd6, + 0xe6, 0xe5, 0xc5, 0x0e, 0x44, 0xd8, 0x6e, 0x5b, 0x56, 0x60, 0x3d, 0xb6, 0x51, 0x07, 0x4a, 0x31, + 0x41, 0x36, 0x41, 0xba, 0x4d, 0xa8, 0x3d, 0xcb, 0xd2, 0xa3, 0x99, 0x4f, 0x71, 0x91, 0x27, 0x66, + 0xf5, 0x5f, 0x02, 0x7a, 0x3a, 0x00, 0x11, 0x82, 0xcc, 0x89, 0xe3, 0x69, 0x33, 0xb0, 0x1a, 0xa3, + 0x06, 0xe4, 0x7c, 0x32, 0x73, 0x19, 0xb1, 0x75, 0x1c, 0xde, 0x6c, 0x84, 0xed, 0x51, 0x23, 0x6a, + 0x8f, 0x1a, 0x4d, 0x6f, 0x86, 0x23, 0x50, 0xfd, 0x3e, 0xbc, 0xbc, 0x34, 0xcf, 0xd0, 0x3e, 0x14, + 0xe3, 0x1c, 0x99, 0xfb, 0x7a, 0xe3, 0xf2, 0x62, 0xc7, 0x88, 0x93, 0xa9, 0xdb, 0xc6, 0x46, 0x0c, + 0xea, 0xda, 0xf5, 0xbf, 0x96, 0xa0, 0xb4, 0x90, 0x69, 0xe8, 0x26, 0x6c, 0x38, 0x13, 0x32, 0xa2, + 0xda, 0xc6, 0x70, 0x82, 0x3a, 0x90, 0x75, 0xc9, 0x90, 0xba, 0x32, 0x57, 0xe4, 0xc1, 0xfd, 0xdf, + 0xb5, 0x29, 0xdb, 0x78, 0xa0, 0xf0, 0x1d, 0x4f, 0xf0, 0x19, 0xd6, 0x64, 0x64, 0x42, 0xce, 0x62, + 0x93, 0x09, 0xf1, 0xe4, 0x25, 0xb9, 0xbe, 0x5b, 0xc0, 0xd1, 0x54, 0xee, 0x0c, 0xe1, 0xa3, 0xc0, + 0xcc, 0x28, 0xb1, 0x1a, 0xcb, 0x1a, 0x39, 0x66, 0x81, 0xf0, 0xc8, 0x84, 0x9a, 0x9b, 0xca, 0x9a, + 0x78, 0x8e, 0xca, 0xb0, 0x4e, 0xbd, 0x53, 0x73, 0x43, 0xc1, 0xe5, 0x50, 0x4a, 0x6c, 0x27, 0x4c, + 0x84, 0x02, 0x96, 0x43, 0xa9, 0x73, 0x1a, 0x50, 0x6e, 0xe6, 0xc2, 0xdd, 0x96, 0x63, 0xf4, 0x0a, + 0x64, 0x47, 0x9c, 0x4d, 0xfd, 0x30, 0x02, 0x0b, 0x58, 0xcf, 0xe4, 0x7d, 0xe7, 0x73, 0xe7, 0xd4, + 0x71, 0xe9, 0x88, 0x06, 0xe6, 0x2b, 0xea, 0x20, 0xaa, 0x4b, 0x73, 0x31, 0x46, 0xe1, 0x04, 0x03, + 0x35, 0x20, 0xe3, 0x78, 0x8e, 0x30, 0x5f, 0xd5, 0x79, 0x78, 0xf5, 0x08, 0x5b, 0x8c, 0xb9, 0x8f, + 0x89, 0x3b, 0xa5, 0x58, 0xe1, 0xd0, 0x36, 0xac, 0x0b, 0x31, 0x33, 0x4b, 0xb5, 0xf4, 0x6e, 0xbe, + 0x95, 0xbb, 0xbc, 0xd8, 0x59, 0x3f, 0x3a, 0x7a, 0x82, 0xa5, 0x0c, 0xbd, 0x06, 0xc0, 0x7c, 0xea, + 0x0d, 0x02, 0x61, 0x3b, 0x9e, 0x89, 0x24, 0x02, 0x17, 0xa4, 0xa4, 0x2f, 0x05, 0xe8, 0x96, 0xac, + 0x5c, 0xc4, 0x1e, 0x30, 0xcf, 0x9d, 0x99, 0x2f, 0xa9, 0xaf, 0x79, 0x29, 0x78, 0xe4, 0xb9, 0x33, + 0xb4, 0x03, 0x46, 0x20, 0x98, 0x3f, 0x08, 0x9c, 0x91, 0x47, 0x5c, 0xf3, 0xa6, 0xf2, 0x1c, 0xa4, + 0xa8, 0xaf, 0x24, 0xe8, 0xc7, 0x90, 0x9d, 0xb0, 0xa9, 0x27, 0x02, 0x33, 0xaf, 0x0e, 0x72, 0x7b, + 0x99, 0x8f, 0x0f, 0x25, 0x42, 0x67, 0x9d, 0x86, 0xa3, 0x0e, 0x6c, 0x29, 0xcd, 0x23, 0x4e, 0x2c, + 0x3a, 0xf0, 0x29, 0x77, 0x98, 0xad, 0xef, 0xe7, 0xed, 0xa7, 0xbc, 0x6d, 0xeb, 0xa7, 0x00, 0xbe, + 0x21, 0x39, 0x77, 0x25, 0xa5, 0xa7, 0x18, 0xa8, 0x07, 0x45, 0x7f, 0xea, 0xba, 0x03, 0xe6, 0x87, + 0xb7, 0x51, 0x58, 0xc0, 0x9f, 0x23, 0x9c, 0x7a, 0x53, 0xd7, 0x7d, 0x14, 0x92, 0xb0, 0xe1, 0xcf, + 0x27, 0xe8, 0x53, 0xc8, 0x05, 0xd4, 0xe2, 0x54, 0x04, 0x66, 0x51, 0xb9, 0xf4, 0xc6, 0x32, 0x65, + 0x7d, 0x05, 0x89, 0xeb, 0x02, 0x8e, 0x38, 0x92, 0x6e, 0xa9, 0xb2, 0x16, 0x98, 0x2f, 0xaf, 0xa6, + 0xeb, 0xca, 0x37, 0xa7, 0x6b, 0x8e, 0x4c, 0x17, 0x19, 0x93, 0x81, 0xb9, 0xa5, 0xc2, 0x29, 0x9c, + 0xa0, 0x27, 0x00, 0xb6, 0x17, 0x0c, 0x42, 0x90, 0x79, 0x43, 0xf9, 0xf8, 0xde, 0xf5, 0x3e, 0xb6, + 0x0f, 0xfb, 0xba, 0x0f, 0x29, 0x5d, 0x5e, 0xec, 0x14, 0xe2, 0x29, 0x2e, 0xd8, 0x5e, 0x10, 0x0e, + 0x51, 0x0b, 0x8c, 0x31, 0x25, 0xae, 0x18, 0x5b, 0x63, 0x6a, 0x9d, 0x98, 0xe5, 0xd5, 0x6d, 0xc9, + 0x3d, 0x05, 0xd3, 0x1a, 0x92, 0x24, 0xd4, 0x85, 0x82, 0x13, 0x30, 0x57, 0x1d, 0x91, 0x69, 0xaa, + 0xfa, 0xf6, 0x1c, 0xd6, 0x75, 0x23, 0x0a, 0x9e, 0xb3, 0xd1, 0x6d, 0x28, 0xf8, 0x8e, 0x1d, 0x3c, + 0x70, 0x26, 0x8e, 0x30, 0xb7, 0x6b, 0xe9, 0xdd, 0x75, 0x3c, 0x17, 0xa0, 0x7b, 0x90, 0x0b, 0x66, + 0x81, 0x25, 0xdc, 0xc0, 0xac, 0xa8, 0xcd, 0x6d, 0x5c, 0xbf, 0x4c, 0x3f, 0x24, 0x84, 0x85, 0x23, + 0xa2, 0xcb, 0x8e, 0xc7, 0x22, 0xbe, 0x7e, 0x0b, 0x0c, 0x88, 0x6d, 0x9b, 0xb7, 0xd4, 0x86, 0x97, + 0xe6, 0xd2, 0xa6, 0x6d, 0xa3, 0xb7, 0xe1, 0x46, 0x02, 0x66, 0x73, 0xe6, 0x9b, 0xb7, 0x15, 0x2e, + 0xc1, 0x6e, 0x73, 0xe6, 0x57, 0x3e, 0x02, 0x23, 0x51, 0xa0, 0x64, 0xf1, 0x38, 0xa1, 0x33, 0x5d, + 0xf3, 0xe4, 0x50, 0x1e, 0xec, 0xa9, 0xcc, 0x57, 0x55, 0x94, 0x0b, 0x38, 0x9c, 0x7c, 0xbc, 0xf6, + 0x61, 0xba, 0xb2, 0x0f, 0x46, 0x22, 0x18, 0xd1, 0x1b, 0xf2, 0xc2, 0x18, 0x39, 0x81, 0xe0, 0xb3, + 0x01, 0x99, 0x8a, 0xb1, 0xf9, 0x73, 0x45, 0x28, 0x46, 0xc2, 0xe6, 0x54, 0x8c, 0x2b, 0x03, 0x98, + 0x9f, 0x26, 0xaa, 0x81, 0x21, 0x6b, 0x58, 0x40, 0xf9, 0x29, 0xe5, 0xb2, 0xfd, 0x93, 0x06, 0x26, + 0x45, 0xb2, 0x4a, 0x05, 0x94, 0x70, 0x6b, 0xac, 0xca, 0x6d, 0x01, 0xeb, 0x99, 0xac, 0x9f, 0x51, + 0xe2, 0xe8, 0xfa, 0xa9, 0xa7, 0x95, 0x8f, 0xa1, 0x98, 0xdc, 0xb8, 0xff, 0xc4, 0xa1, 0xfa, 0x5f, + 0xd2, 0x50, 0x88, 0x0f, 0x17, 0xbd, 0x0f, 0x5b, 0xdd, 0xfe, 0xa3, 0x07, 0xcd, 0xa3, 0xee, 0xa3, + 0xc3, 0x41, 0xbb, 0xf3, 0x59, 0xf3, 0x8b, 0x07, 0x47, 0xe5, 0x54, 0xe5, 0xb5, 0xb3, 0xf3, 0xda, + 0xf6, 0xfc, 0x1e, 0x89, 0xe0, 0x6d, 0x7a, 0x4c, 0xa6, 0xae, 0x58, 0x64, 0xf5, 0xf0, 0xa3, 0x83, + 0x4e, 0xbf, 0x5f, 0x4e, 0xaf, 0x62, 0xf5, 0x38, 0xb3, 0x68, 0x10, 0xa0, 0x7d, 0x28, 0xcf, 0x59, + 0xf7, 0x9e, 0xf4, 0x3a, 0xf8, 0x71, 0x79, 0xad, 0x72, 0xfb, 0xec, 0xbc, 0x66, 0x3e, 0x4d, 0xba, + 0x37, 0xf3, 0x29, 0x7f, 0xac, 0x9f, 0x80, 0xff, 0x48, 0x43, 0x31, 0xd9, 0x77, 0xa3, 0x83, 0xb0, + 0xdb, 0x56, 0x1e, 0x6f, 0xee, 0xef, 0x5d, 0xd7, 0xa7, 0xab, 0xbb, 0xdb, 0x9d, 0x4a, 0xbd, 0x0f, + 0xe5, 0x63, 0x5f, 0x91, 0xd1, 0xfb, 0xb0, 0xe1, 0x33, 0x2e, 0xa2, 0x5b, 0x6e, 0xf9, 0x05, 0xc0, + 0x78, 0xd4, 0x08, 0x85, 0xe0, 0xfa, 0x18, 0x36, 0x17, 0xb5, 0xa1, 0x3b, 0xb0, 0xfe, 0xb8, 0xdb, + 0x2b, 0xa7, 0x2a, 0xb7, 0xce, 0xce, 0x6b, 0xaf, 0x2e, 0x7e, 0x7c, 0xec, 0x70, 0x31, 0x25, 0x6e, + 0xb7, 0x87, 0xde, 0x85, 0x8d, 0xf6, 0x61, 0x1f, 0xe3, 0x72, 0xba, 0xb2, 0x73, 0x76, 0x5e, 0xbb, + 0xb5, 0x88, 0x93, 0x9f, 0xd8, 0xd4, 0xb3, 0x31, 0x1b, 0xc6, 0x0f, 0xdf, 0x7f, 0xae, 0x81, 0xa1, + 0x2f, 0xff, 0x17, 0xfd, 0x6f, 0xa4, 0x14, 0x36, 0x92, 0x51, 0xcd, 0x5a, 0xbb, 0xb6, 0x9f, 0x2c, + 0x86, 0x04, 0x1d, 0xd3, 0xaf, 0x43, 0xd1, 0xf1, 0x4f, 0x3f, 0x18, 0x50, 0x8f, 0x0c, 0x5d, 0xfd, + 0x06, 0xce, 0x63, 0x43, 0xca, 0x3a, 0xa1, 0x48, 0x5e, 0xe7, 0x8e, 0x27, 0x28, 0xf7, 0xf4, 0xeb, + 0x36, 0x8f, 0xe3, 0x39, 0xfa, 0x14, 0x32, 0x8e, 0x4f, 0x26, 0xba, 0x09, 0x5e, 0xea, 0x41, 0xb7, + 0xd7, 0x7c, 0xa8, 0x73, 0xae, 0x95, 0xbf, 0xbc, 0xd8, 0xc9, 0x48, 0x01, 0x56, 0x34, 0x54, 0x8d, + 0x5e, 0x28, 0x72, 0x25, 0xd5, 0x02, 0xe4, 0x71, 0x42, 0x22, 0xf3, 0xc6, 0xf1, 0x46, 0x9c, 0x06, + 0x81, 0x6a, 0x06, 0xf2, 0x38, 0x9a, 0xa2, 0x0a, 0xe4, 0x74, 0x37, 0xab, 0x1e, 0x36, 0x05, 0xf9, + 0x46, 0xd0, 0x82, 0x56, 0x09, 0x8c, 0x70, 0x37, 0x06, 0xc7, 0x9c, 0x4d, 0xea, 0xff, 0xca, 0x80, + 0x71, 0xe0, 0x4e, 0x03, 0xa1, 0x3b, 0xa5, 0x17, 0xb6, 0xf9, 0x4f, 0x60, 0x8b, 0xa8, 0x7f, 0x2d, + 0xc4, 0x93, 0x57, 0xab, 0x7a, 0x24, 0xe8, 0x03, 0xb8, 0xb3, 0x54, 0x5d, 0x0c, 0x0e, 0x1f, 0x14, + 0xad, 0xac, 0xd4, 0x69, 0xa6, 0x71, 0x99, 0x5c, 0xf9, 0x82, 0xfa, 0x50, 0x62, 0xdc, 0x1a, 0xd3, + 0x40, 0x84, 0x17, 0xb2, 0xfe, 0x37, 0xb1, 0xf4, 0xaf, 0xd5, 0xa3, 0x24, 0x50, 0xdf, 0x43, 0xa1, + 0xb5, 0x8b, 0x3a, 0xd0, 0x87, 0x90, 0xe1, 0xe4, 0x38, 0x7a, 0xf0, 0x2c, 0x4d, 0x12, 0x4c, 0x8e, + 0xc5, 0x82, 0x0a, 0xc5, 0x40, 0x9f, 0x03, 0xd8, 0x4e, 0xe0, 0x13, 0x61, 0x8d, 0x29, 0xd7, 0x87, + 0xbd, 0xd4, 0xc5, 0x76, 0x8c, 0x5a, 0xd0, 0x92, 0x60, 0xa3, 0xfb, 0x50, 0xb0, 0x48, 0x14, 0xae, + 0xd9, 0xd5, 0x3f, 0x6c, 0x0e, 0x9a, 0x5a, 0x45, 0x59, 0xaa, 0xb8, 0xbc, 0xd8, 0xc9, 0x47, 0x12, + 0x9c, 0xb7, 0x88, 0x0e, 0xdf, 0xfb, 0x50, 0x12, 0x24, 0x38, 0x19, 0xd8, 0x61, 0x39, 0x0b, 0xc3, + 0x64, 0xc5, 0xbd, 0x2a, 0xdf, 0xc5, 0xba, 0xec, 0x45, 0xc7, 0x59, 0x14, 0x09, 0x19, 0xfa, 0x05, + 0x6c, 0x51, 0xcf, 0xe2, 0x33, 0x15, 0xac, 0x91, 0x85, 0xf9, 0xd5, 0xce, 0x76, 0x62, 0xf0, 0x82, + 0xb3, 0x65, 0x7a, 0x45, 0x5e, 0xff, 0x5b, 0x1a, 0x20, 0x6c, 0x64, 0x5e, 0x6c, 0x00, 0x22, 0xc8, + 0xd8, 0x44, 0x10, 0x15, 0x73, 0x45, 0xac, 0xc6, 0xe8, 0x63, 0x00, 0x41, 0x27, 0xbe, 0x2c, 0xbd, + 0xde, 0x48, 0x87, 0xcd, 0xb3, 0xca, 0x41, 0x02, 0x8d, 0xf6, 0x21, 0xab, 0x9f, 0xa5, 0x99, 0x6b, + 0x79, 0x1a, 0x59, 0xff, 0x63, 0x1a, 0x20, 0x74, 0xf3, 0x7f, 0xda, 0xb7, 0xd6, 0x9d, 0x6f, 0xbe, + 0xaf, 0xa6, 0xbe, 0xfb, 0xbe, 0x9a, 0xfa, 0xed, 0x65, 0x35, 0xfd, 0xcd, 0x65, 0x35, 0xfd, 0xed, + 0x65, 0x35, 0xfd, 0xf7, 0xcb, 0x6a, 0xfa, 0xf7, 0x3f, 0x54, 0x53, 0xdf, 0xfe, 0x50, 0x4d, 0x7d, + 0xf7, 0x43, 0x35, 0x35, 0xcc, 0xaa, 0x56, 0xf8, 0x47, 0xff, 0x0e, 0x00, 0x00, 0xff, 0xff, 0x92, + 0xc4, 0x34, 0xad, 0xa7, 0x17, 0x00, 0x00, } func (m *NodeSpec) Copy() *NodeSpec { @@ -1997,9 +2000,14 @@ func (m *ContainerSpec) CopyFrom(src interface{}) { } } - if o.Capabilities != nil { - m.Capabilities = make([]string, len(o.Capabilities)) - copy(m.Capabilities, o.Capabilities) + if o.CapabilityAdd != nil { + m.CapabilityAdd = make([]string, len(o.CapabilityAdd)) + copy(m.CapabilityAdd, o.CapabilityAdd) + } + + if o.CapabilityDrop != nil { + m.CapabilityDrop = make([]string, len(o.CapabilityDrop)) + copy(m.CapabilityDrop, o.CapabilityDrop) } } @@ -2983,8 +2991,8 @@ func (m *ContainerSpec) MarshalTo(dAtA []byte) (int, error) { i += copy(dAtA[i:], v) } } - if len(m.Capabilities) > 0 { - for _, s := range m.Capabilities { + if len(m.CapabilityAdd) > 0 { + for _, s := range m.CapabilityAdd { dAtA[i] = 0xda i++ dAtA[i] = 0x1 @@ -3000,6 +3008,23 @@ func (m *ContainerSpec) MarshalTo(dAtA []byte) (int, error) { i += copy(dAtA[i:], s) } } + if len(m.CapabilityDrop) > 0 { + for _, s := range m.CapabilityDrop { + dAtA[i] = 0xe2 + i++ + dAtA[i] = 0x1 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } return i, nil } @@ -3814,8 +3839,14 @@ func (m *ContainerSpec) Size() (n int) { n += mapEntrySize + 2 + sovSpecs(uint64(mapEntrySize)) } } - if len(m.Capabilities) > 0 { - for _, s := range m.Capabilities { + if len(m.CapabilityAdd) > 0 { + for _, s := range m.CapabilityAdd { + l = len(s) + n += 2 + l + sovSpecs(uint64(l)) + } + } + if len(m.CapabilityDrop) > 0 { + for _, s := range m.CapabilityDrop { l = len(s) n += 2 + l + sovSpecs(uint64(l)) } @@ -4243,7 +4274,8 @@ func (this *ContainerSpec) String() string { `Isolation:` + fmt.Sprintf("%v", this.Isolation) + `,`, `PidsLimit:` + fmt.Sprintf("%v", this.PidsLimit) + `,`, `Sysctls:` + mapStringForSysctls + `,`, - `Capabilities:` + fmt.Sprintf("%v", this.Capabilities) + `,`, + `CapabilityAdd:` + fmt.Sprintf("%v", this.CapabilityAdd) + `,`, + `CapabilityDrop:` + fmt.Sprintf("%v", this.CapabilityDrop) + `,`, `}`, }, "") return s @@ -6891,7 +6923,7 @@ func (m *ContainerSpec) Unmarshal(dAtA []byte) error { iNdEx = postIndex case 27: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Capabilities", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field CapabilityAdd", wireType) } var stringLen uint64 for shift := uint(0); ; shift += 7 { @@ -6919,7 +6951,39 @@ func (m *ContainerSpec) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.Capabilities = append(m.Capabilities, string(dAtA[iNdEx:postIndex])) + m.CapabilityAdd = append(m.CapabilityAdd, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 28: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field CapabilityDrop", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowSpecs + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthSpecs + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthSpecs + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.CapabilityDrop = append(m.CapabilityDrop, string(dAtA[iNdEx:postIndex])) iNdEx = postIndex default: iNdEx = preIndex diff --git a/vendor/github.com/docker/swarmkit/api/specs.proto b/vendor/github.com/docker/swarmkit/api/specs.proto index a0510d5e02..5624c88f0f 100644 --- a/vendor/github.com/docker/swarmkit/api/specs.proto +++ b/vendor/github.com/docker/swarmkit/api/specs.proto @@ -356,8 +356,10 @@ message ContainerSpec { // https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime map sysctls = 26; - // Capabilities is the list of Linux capabilities to be available for container (this overrides the default set of capabilities) - repeated string capabilities = 27; + // CapabilityAdd sets the list of capabilities to add to the default capability list + repeated string capability_add = 27; + // CapabilityAdd sets the list of capabilities to drop from the default capability list + repeated string capability_drop = 28; } // EndpointSpec defines the properties that can be configured to From 24f173a003727611aa482a55b812e0e39c67be65 Mon Sep 17 00:00:00 2001 From: Brian Goff Date: Thu, 23 Jul 2020 11:03:15 -0700 Subject: [PATCH 2/2] Replace service "Capabilities" w/ add/drop API After dicussing with maintainers, it was decided putting the burden of providing the full cap list on the client is not a good design. Instead we decided to follow along with the container API and use cap add/drop. This brings in the changes already merged into swarmkit. Signed-off-by: Brian Goff --- .../router/container/container_routes.go | 3 - api/server/router/swarm/helpers.go | 3 +- api/swagger.yaml | 24 ++-- api/types/container/host_config.go | 1 - api/types/swarm/container.go | 15 +- daemon/cluster/convert/container.go | 80 +++++------ .../cluster/executor/container/container.go | 3 +- daemon/container.go | 9 -- daemon/oci_linux.go | 1 - daemon/oci_windows.go | 2 +- docs/api/version-history.md | 17 +-- integration/container/create_test.go | 128 ------------------ integration/internal/swarm/service.go | 5 +- integration/service/create_test.go | 17 ++- oci/caps/utils.go | 8 +- 15 files changed, 86 insertions(+), 230 deletions(-) diff --git a/api/server/router/container/container_routes.go b/api/server/router/container/container_routes.go index 67205071f4..5001bc0509 100644 --- a/api/server/router/container/container_routes.go +++ b/api/server/router/container/container_routes.go @@ -489,9 +489,6 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo // Ignore KernelMemoryTCP because it was added in API 1.40. hostConfig.KernelMemoryTCP = 0 - // Ignore Capabilities because it was added in API 1.40. - hostConfig.Capabilities = nil - // Older clients (API < 1.40) expects the default to be shareable, make them happy if hostConfig.IpcMode.IsEmpty() { hostConfig.IpcMode = container.IpcMode("shareable") diff --git a/api/server/router/swarm/helpers.go b/api/server/router/swarm/helpers.go index e93ce2af94..60b8f40233 100644 --- a/api/server/router/swarm/helpers.go +++ b/api/server/router/swarm/helpers.go @@ -99,7 +99,8 @@ func adjustForAPIVersion(cliVersion string, service *swarm.ServiceSpec) { if service.TaskTemplate.ContainerSpec != nil { // Capabilities for docker swarm services weren't // supported before API version 1.41 - service.TaskTemplate.ContainerSpec.Capabilities = nil + service.TaskTemplate.ContainerSpec.CapabilityAdd = nil + service.TaskTemplate.ContainerSpec.CapabilityDrop = nil } if service.TaskTemplate.Resources != nil && service.TaskTemplate.Resources.Limits != nil { // Limits.Pids not supported before API version 1.41 diff --git a/api/swagger.yaml b/api/swagger.yaml index 1f06db83b4..8cdde61f87 100644 --- a/api/swagger.yaml +++ b/api/swagger.yaml @@ -906,15 +906,6 @@ definitions: $ref: "#/definitions/Mount" # Applicable to UNIX platforms - Capabilities: - type: "array" - description: | - A list of kernel capabilities to be available for container (this - overrides the default set). - - Conflicts with options 'CapAdd' and 'CapDrop'" - items: - type: "string" CapAdd: type: "array" description: | @@ -3276,11 +3267,11 @@ definitions: additionalProperties: type: "string" # This option is not used by Windows containers - Capabilities: + CapabilityAdd: type: "array" description: | - A list of kernel capabilities to be available for container (this - overrides the default set). + A list of kernel capabilities to add to the default set + for the container. items: type: "string" example: @@ -3288,6 +3279,15 @@ definitions: - "CAP_SYS_ADMIN" - "CAP_SYS_CHROOT" - "CAP_SYSLOG" + CapabilityDrop: + type: "array" + description: | + A list of kernel capabilities to drop from the default set + for the container. + items: + type: "string" + example: + - "CAP_NET_RAW" NetworkAttachmentSpec: description: | Read-only spec type for non-swarm containers attached to swarm overlay diff --git a/api/types/container/host_config.go b/api/types/container/host_config.go index b8a4b3aa62..2f6ebe6b0e 100644 --- a/api/types/container/host_config.go +++ b/api/types/container/host_config.go @@ -403,7 +403,6 @@ type HostConfig struct { // Applicable to UNIX platforms CapAdd strslice.StrSlice // List of kernel capabilities to add to the container CapDrop strslice.StrSlice // List of kernel capabilities to remove from the container - Capabilities []string `json:"Capabilities"` // List of kernel capabilities to be available for container (this overrides the default set) CgroupnsMode CgroupnsMode // Cgroup namespace mode to use for the container DNS []string `json:"Dns"` // List of DNS server to lookup DNSOptions []string `json:"DnsOptions"` // List of DNSOption to look for diff --git a/api/types/swarm/container.go b/api/types/swarm/container.go index 5bbedfcf68..32202ecc6c 100644 --- a/api/types/swarm/container.go +++ b/api/types/swarm/container.go @@ -67,11 +67,12 @@ type ContainerSpec struct { // The format of extra hosts on swarmkit is specified in: // http://man7.org/linux/man-pages/man5/hosts.5.html // IP_address canonical_hostname [aliases...] - Hosts []string `json:",omitempty"` - DNSConfig *DNSConfig `json:",omitempty"` - Secrets []*SecretReference `json:",omitempty"` - Configs []*ConfigReference `json:",omitempty"` - Isolation container.Isolation `json:",omitempty"` - Sysctls map[string]string `json:",omitempty"` - Capabilities []string `json:",omitempty"` + Hosts []string `json:",omitempty"` + DNSConfig *DNSConfig `json:",omitempty"` + Secrets []*SecretReference `json:",omitempty"` + Configs []*ConfigReference `json:",omitempty"` + Isolation container.Isolation `json:",omitempty"` + Sysctls map[string]string `json:",omitempty"` + CapabilityAdd []string `json:",omitempty"` + CapabilityDrop []string `json:",omitempty"` } diff --git a/daemon/cluster/convert/container.go b/daemon/cluster/convert/container.go index 7f1e0af22c..635c2ddc0f 100644 --- a/daemon/cluster/convert/container.go +++ b/daemon/cluster/convert/container.go @@ -18,26 +18,27 @@ func containerSpecFromGRPC(c *swarmapi.ContainerSpec) *types.ContainerSpec { return nil } containerSpec := &types.ContainerSpec{ - Image: c.Image, - Labels: c.Labels, - Command: c.Command, - Args: c.Args, - Hostname: c.Hostname, - Env: c.Env, - Dir: c.Dir, - User: c.User, - Groups: c.Groups, - StopSignal: c.StopSignal, - TTY: c.TTY, - OpenStdin: c.OpenStdin, - ReadOnly: c.ReadOnly, - Hosts: c.Hosts, - Secrets: secretReferencesFromGRPC(c.Secrets), - Configs: configReferencesFromGRPC(c.Configs), - Isolation: IsolationFromGRPC(c.Isolation), - Init: initFromGRPC(c.Init), - Sysctls: c.Sysctls, - Capabilities: c.Capabilities, + Image: c.Image, + Labels: c.Labels, + Command: c.Command, + Args: c.Args, + Hostname: c.Hostname, + Env: c.Env, + Dir: c.Dir, + User: c.User, + Groups: c.Groups, + StopSignal: c.StopSignal, + TTY: c.TTY, + OpenStdin: c.OpenStdin, + ReadOnly: c.ReadOnly, + Hosts: c.Hosts, + Secrets: secretReferencesFromGRPC(c.Secrets), + Configs: configReferencesFromGRPC(c.Configs), + Isolation: IsolationFromGRPC(c.Isolation), + Init: initFromGRPC(c.Init), + Sysctls: c.Sysctls, + CapabilityAdd: c.CapabilityAdd, + CapabilityDrop: c.CapabilityDrop, } if c.DNSConfig != nil { @@ -246,25 +247,26 @@ func configReferencesFromGRPC(sr []*swarmapi.ConfigReference) []*types.ConfigRef func containerToGRPC(c *types.ContainerSpec) (*swarmapi.ContainerSpec, error) { containerSpec := &swarmapi.ContainerSpec{ - Image: c.Image, - Labels: c.Labels, - Command: c.Command, - Args: c.Args, - Hostname: c.Hostname, - Env: c.Env, - Dir: c.Dir, - User: c.User, - Groups: c.Groups, - StopSignal: c.StopSignal, - TTY: c.TTY, - OpenStdin: c.OpenStdin, - ReadOnly: c.ReadOnly, - Hosts: c.Hosts, - Secrets: secretReferencesToGRPC(c.Secrets), - Isolation: isolationToGRPC(c.Isolation), - Init: initToGRPC(c.Init), - Sysctls: c.Sysctls, - Capabilities: c.Capabilities, + Image: c.Image, + Labels: c.Labels, + Command: c.Command, + Args: c.Args, + Hostname: c.Hostname, + Env: c.Env, + Dir: c.Dir, + User: c.User, + Groups: c.Groups, + StopSignal: c.StopSignal, + TTY: c.TTY, + OpenStdin: c.OpenStdin, + ReadOnly: c.ReadOnly, + Hosts: c.Hosts, + Secrets: secretReferencesToGRPC(c.Secrets), + Isolation: isolationToGRPC(c.Isolation), + Init: initToGRPC(c.Init), + Sysctls: c.Sysctls, + CapabilityAdd: c.CapabilityAdd, + CapabilityDrop: c.CapabilityDrop, } if c.DNSConfig != nil { diff --git a/daemon/cluster/executor/container/container.go b/daemon/cluster/executor/container/container.go index 4369b3e6eb..c69a4c71ad 100644 --- a/daemon/cluster/executor/container/container.go +++ b/daemon/cluster/executor/container/container.go @@ -360,7 +360,8 @@ func (c *containerConfig) hostConfig() *enginecontainer.HostConfig { Isolation: c.isolation(), Init: c.init(), Sysctls: c.spec().Sysctls, - Capabilities: c.spec().Capabilities, + CapAdd: c.spec().CapabilityAdd, + CapDrop: c.spec().CapabilityDrop, } if c.spec().DNSConfig != nil { diff --git a/daemon/container.go b/daemon/container.go index 68b3445849..70cf612a09 100644 --- a/daemon/container.go +++ b/daemon/container.go @@ -305,21 +305,12 @@ func validateHostConfig(hostConfig *containertypes.HostConfig, platform string) } func validateCapabilities(hostConfig *containertypes.HostConfig) error { - if len(hostConfig.CapAdd) > 0 && hostConfig.Capabilities != nil { - return errdefs.InvalidParameter(errors.Errorf("conflicting options: Capabilities and CapAdd")) - } - if len(hostConfig.CapDrop) > 0 && hostConfig.Capabilities != nil { - return errdefs.InvalidParameter(errors.Errorf("conflicting options: Capabilities and CapDrop")) - } if _, err := caps.NormalizeLegacyCapabilities(hostConfig.CapAdd); err != nil { return errors.Wrap(err, "invalid CapAdd") } if _, err := caps.NormalizeLegacyCapabilities(hostConfig.CapDrop); err != nil { return errors.Wrap(err, "invalid CapDrop") } - if err := caps.ValidateCapabilities(hostConfig.Capabilities); err != nil { - return errors.Wrap(err, "invalid Capabilities") - } // TODO consider returning warnings if "Privileged" is combined with Capabilities, CapAdd and/or CapDrop return nil } diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index 180cd4e992..44ac97d1d3 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -162,7 +162,6 @@ func WithCapabilities(c *container.Container) coci.SpecOpts { caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, - c.HostConfig.Capabilities, c.HostConfig.Privileged, ) if err != nil { diff --git a/daemon/oci_windows.go b/daemon/oci_windows.go index cc94c9ecdd..16054f356c 100644 --- a/daemon/oci_windows.go +++ b/daemon/oci_windows.go @@ -390,7 +390,7 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe // Note these are against the UVM. setResourcesInSpec(c, s, true) // LCOW is Hyper-V only - capabilities, err := caps.TweakCapabilities(caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Capabilities, c.HostConfig.Privileged) + capabilities, err := caps.TweakCapabilities(caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged) if err != nil { return fmt.Errorf("linux spec capabilities: %v", err) } diff --git a/docs/api/version-history.md b/docs/api/version-history.md index 7de4497957..d6b50ba66d 100644 --- a/docs/api/version-history.md +++ b/docs/api/version-history.md @@ -28,12 +28,12 @@ keywords: "API, Docker, rcli, REST, documentation" * The `filter` (singular) query parameter, which was deprecated in favor of the `filters` option in Docker 1.13, has now been removed from the `GET /images/json` endpoint. The parameter remains available when using API version 1.40 or below. -* `GET /services` now returns `Capabilities` as part of the `ContainerSpec`. -* `GET /services/{id}` now returns `Capabilities` as part of the `ContainerSpec`. -* `POST /services/create` now accepts `Capabilities` as part of the `ContainerSpec`. -* `POST /services/{id}/update` now accepts `Capabilities` as part of the `ContainerSpec`. -* `GET /tasks` now returns `Capabilities` as part of the `ContainerSpec`. -* `GET /tasks/{id}` now returns `Capabilities` as part of the `ContainerSpec`. +* `GET /services` now returns `CappAdd` and `CapDrop` as part of the `ContainerSpec`. +* `GET /services/{id}` now returns `CapAdd` and `CapDrop` as part of the `ContainerSpec`. +* `POST /services/create` now accepts `CapAdd` and `CapDrop` as part of the `ContainerSpec`. +* `POST /services/{id}/update` now accepts `CapAdd` and `CapDrop` as part of the `ContainerSpec`. +* `GET /tasks` now returns `CapAdd` and `CapDrop` as part of the `ContainerSpec`. +* `GET /tasks/{id}` now returns `CapAdd` and `CapDrop` as part of the `ContainerSpec`. * `GET /services` now returns `Pids` in `TaskTemplate.Resources.Limits`. * `GET /services/{id}` now returns `Pids` in `TaskTemplate.Resources.Limits`. * `POST /services/create` now accepts `Pids` in `TaskTemplate.Resources.Limits`. @@ -135,11 +135,6 @@ keywords: "API, Docker, rcli, REST, documentation" * `GET /service/{id}` now returns `MaxReplicas` as part of the `Placement`. * `POST /service/create` and `POST /services/(id or name)/update` now take the field `MaxReplicas` as part of the service `Placement`, allowing to specify maximum replicas per node for the service. -* `GET /containers` now returns `Capabilities` field as part of the `HostConfig`. -* `GET /containers/{id}/json` now returns a `Capabilities` field as part of the `HostConfig`. -* `POST /containers/create` now takes a `Capabilities` field to set the list of - kernel capabilities to be available for the container (this overrides the default - set). * `POST /containers/create` on Linux now creates a container with `HostConfig.IpcMode=private` by default, if IpcMode is not explicitly specified. The per-daemon default can be changed back to `shareable` by using `DefaultIpcMode` daemon configuration parameter. diff --git a/integration/container/create_test.go b/integration/container/create_test.go index 0d7b75465b..801f902772 100644 --- a/integration/container/create_test.go +++ b/integration/container/create_test.go @@ -17,7 +17,6 @@ import ( "github.com/docker/docker/errdefs" ctr "github.com/docker/docker/integration/internal/container" "github.com/docker/docker/oci" - "github.com/docker/docker/testutil/request" specs "github.com/opencontainers/image-spec/specs-go/v1" "gotest.tools/v3/assert" is "gotest.tools/v3/assert/cmp" @@ -258,133 +257,6 @@ func TestCreateWithCustomMaskedPaths(t *testing.T) { } } -func TestCreateWithCapabilities(t *testing.T) { - skip.If(t, testEnv.DaemonInfo.OSType == "windows", "FIXME: test should be able to run on LCOW") - skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.40"), "Capabilities was added in API v1.40") - - defer setupTest(t)() - ctx := context.Background() - clientNew := request.NewAPIClient(t) - clientOld := request.NewAPIClient(t, client.WithVersion("1.39")) - - testCases := []struct { - doc string - hostConfig container.HostConfig - expected []string - expectedError string - oldClient bool - }{ - { - doc: "no capabilities", - hostConfig: container.HostConfig{}, - }, - { - doc: "empty capabilities", - hostConfig: container.HostConfig{ - Capabilities: []string{}, - }, - expected: []string{}, - }, - { - doc: "valid capabilities", - hostConfig: container.HostConfig{ - Capabilities: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"}, - }, - expected: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"}, - }, - { - doc: "invalid capabilities", - hostConfig: container.HostConfig{ - Capabilities: []string{"NET_RAW"}, - }, - expectedError: `invalid Capabilities: unknown capability: "NET_RAW"`, - }, - { - doc: "duplicate capabilities", - hostConfig: container.HostConfig{ - Capabilities: []string{"CAP_SYS_NICE", "CAP_SYS_NICE"}, - }, - expected: []string{"CAP_SYS_NICE", "CAP_SYS_NICE"}, - }, - { - doc: "capabilities API v1.39", - hostConfig: container.HostConfig{ - Capabilities: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"}, - }, - expected: nil, - oldClient: true, - }, - { - doc: "empty capadd", - hostConfig: container.HostConfig{ - Capabilities: []string{"CAP_NET_ADMIN"}, - CapAdd: []string{}, - }, - expected: []string{"CAP_NET_ADMIN"}, - }, - { - doc: "empty capdrop", - hostConfig: container.HostConfig{ - Capabilities: []string{"CAP_NET_ADMIN"}, - CapDrop: []string{}, - }, - expected: []string{"CAP_NET_ADMIN"}, - }, - { - doc: "capadd capdrop", - hostConfig: container.HostConfig{ - CapAdd: []string{"SYS_NICE", "CAP_SYS_NICE"}, - CapDrop: []string{"SYS_NICE", "CAP_SYS_NICE"}, - }, - }, - { - doc: "conflict with capadd", - hostConfig: container.HostConfig{ - Capabilities: []string{"CAP_NET_ADMIN"}, - CapAdd: []string{"SYS_NICE"}, - }, - expectedError: `conflicting options: Capabilities and CapAdd`, - }, - { - doc: "conflict with capdrop", - hostConfig: container.HostConfig{ - Capabilities: []string{"CAP_NET_ADMIN"}, - CapDrop: []string{"NET_RAW"}, - }, - expectedError: `conflicting options: Capabilities and CapDrop`, - }, - } - - for _, tc := range testCases { - tc := tc - t.Run(tc.doc, func(t *testing.T) { - t.Parallel() - client := clientNew - if tc.oldClient { - client = clientOld - } - - c, err := client.ContainerCreate(context.Background(), - &container.Config{Image: "busybox"}, - &tc.hostConfig, - &network.NetworkingConfig{}, - nil, - "", - ) - if tc.expectedError == "" { - assert.NilError(t, err) - ci, err := client.ContainerInspect(ctx, c.ID) - assert.NilError(t, err) - assert.Check(t, ci.HostConfig != nil) - assert.DeepEqual(t, tc.expected, ci.HostConfig.Capabilities) - } else { - assert.ErrorContains(t, err, tc.expectedError) - assert.Check(t, errdefs.IsInvalidParameter(err)) - } - }) - } -} - func TestCreateWithCustomReadonlyPaths(t *testing.T) { skip.If(t, testEnv.DaemonInfo.OSType != "linux") diff --git a/integration/internal/swarm/service.go b/integration/internal/swarm/service.go index 5e9bb416ef..19ebff0e9a 100644 --- a/integration/internal/swarm/service.go +++ b/integration/internal/swarm/service.go @@ -189,10 +189,11 @@ func ServiceWithSysctls(sysctls map[string]string) ServiceSpecOpt { } // ServiceWithCapabilities sets the Capabilities option of the service's ContainerSpec. -func ServiceWithCapabilities(Capabilities []string) ServiceSpecOpt { +func ServiceWithCapabilities(add []string, drop []string) ServiceSpecOpt { return func(spec *swarmtypes.ServiceSpec) { ensureContainerSpec(spec) - spec.TaskTemplate.ContainerSpec.Capabilities = Capabilities + spec.TaskTemplate.ContainerSpec.CapabilityAdd = add + spec.TaskTemplate.ContainerSpec.CapabilityDrop = drop } } diff --git a/integration/service/create_test.go b/integration/service/create_test.go index 5f3828edc6..9a7d5c0c14 100644 --- a/integration/service/create_test.go +++ b/integration/service/create_test.go @@ -10,6 +10,7 @@ import ( "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/filters" + "github.com/docker/docker/api/types/strslice" swarmtypes "github.com/docker/docker/api/types/swarm" "github.com/docker/docker/api/types/versions" "github.com/docker/docker/client" @@ -492,12 +493,13 @@ func TestCreateServiceCapabilities(t *testing.T) { ctx := context.Background() // store the map we're going to be using everywhere. - expectedCapabilities := []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"} + capAdd := []string{"CAP_SYS_CHROOT"} + capDrop := []string{"CAP_NET_RAW"} // Create the service with the capabilities options var instances uint64 = 1 serviceID := swarm.CreateService(t, d, - swarm.ServiceWithCapabilities(expectedCapabilities), + swarm.ServiceWithCapabilities(capAdd, capDrop), ) // wait for the service to converge to 1 running task as expected @@ -529,15 +531,16 @@ func TestCreateServiceCapabilities(t *testing.T) { // verify that the container has the capabilities option set ctnr, err := client.ContainerInspect(ctx, tasks[0].Status.ContainerStatus.ContainerID) assert.NilError(t, err) - assert.DeepEqual(t, ctnr.HostConfig.Capabilities, expectedCapabilities) + assert.DeepEqual(t, ctnr.HostConfig.CapAdd, strslice.StrSlice(capAdd)) + assert.DeepEqual(t, ctnr.HostConfig.CapDrop, strslice.StrSlice(capDrop)) // verify that the task has the capabilities option set in the task object - assert.DeepEqual(t, tasks[0].Spec.ContainerSpec.Capabilities, expectedCapabilities) + assert.DeepEqual(t, tasks[0].Spec.ContainerSpec.CapabilityAdd, capAdd) + assert.DeepEqual(t, tasks[0].Spec.ContainerSpec.CapabilityDrop, capDrop) // verify that the service also has the capabilities set in the spec. service, _, err := client.ServiceInspectWithRaw(ctx, serviceID, types.ServiceInspectOptions{}) assert.NilError(t, err) - assert.DeepEqual(t, - service.Spec.TaskTemplate.ContainerSpec.Capabilities, expectedCapabilities, - ) + assert.DeepEqual(t, service.Spec.TaskTemplate.ContainerSpec.CapabilityAdd, capAdd) + assert.DeepEqual(t, service.Spec.TaskTemplate.ContainerSpec.CapabilityDrop, capDrop) } diff --git a/oci/caps/utils.go b/oci/caps/utils.go index ffd3f6f508..4a8ed09e8d 100644 --- a/oci/caps/utils.go +++ b/oci/caps/utils.go @@ -117,17 +117,11 @@ func ValidateCapabilities(caps []string) error { // TweakCapabilities tweaks capabilities by adding, dropping, or overriding // capabilities in the basics capabilities list. -func TweakCapabilities(basics, adds, drops, capabilities []string, privileged bool) ([]string, error) { +func TweakCapabilities(basics, adds, drops []string, privileged bool) ([]string, error) { switch { case privileged: // Privileged containers get all capabilities return GetAllCapabilities(), nil - case capabilities != nil: - // Use custom set of capabilities - if err := ValidateCapabilities(capabilities); err != nil { - return nil, err - } - return capabilities, nil case len(adds) == 0 && len(drops) == 0: // Nothing to tweak; we're done return basics, nil