docker cap_add seems to work only with replica to 1 and not in scheduled mode #175
Comments
|
Apparently capabilities are not handled for swarm services. In #203 I have added a new label # cap.yml
version: "3.8"
services:
test:
image: alpine:edge
command: >
/bin/sh -c "apk add libcap-utils && capsh --print | grep Current: | cut -d' ' -f2"
deploy:
replicas: 0
labels:
- "swarm.cronjob.enable=true"
- "swarm.cronjob.schedule=*/5 * * * * *"
- "swarm.cronjob.skip-running=true"
- "swarm.cronjob.capabilities=NET_ADMIN"
cap_add:
- NET_ADMIN$ docker service logs cap_test
...
cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=epAlso looking at the docs it seems it's not supported when deploying a stack in swarm mode: https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop I'm not sure why it works with |
|
Thanks for your reply :) You said that even with the dedicated label it still does not work; it is because of swarm ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, and thanks for your work !
We use cronjob to start jobs in our clusters and for some reasons we need for one of our container to set the mac_address (licensing stuff). We found that adding cap_add: - NET_ADMIN allow us to override that value and we are ok with that.
We then tried to deploy such a container in our swarm and found that :
In the docker documentation, we can see that :
`Note when using docker stack deploy
The cap_add and cap_drop options are ignored when deploying a stack in swarm mode`
But it seems that with our used version of docker (20.10.10) and cronjob (1.10.0, latest) the cap_add is NOT ignored, or at least for the replica :1 option.
Here is an example of our iml file :
The text was updated successfully, but these errors were encountered: