Add credspec to compose #32393
Add credspec to compose #32393
Conversation
GordonTheTurtle
added
dco/no
friism
force-pushed
the
add-credspec-to-compose
branch
from
0aaece9
to
9bb3685
Compare
GordonTheTurtle
removed
the
dco/no
friism
force-pushed
the
add-credspec-to-compose
branch
from
9bb3685
to
9a99888
Compare
cli/compose/types/types.go
Outdated
| @@ -80,6 +80,7 @@ type ServiceConfig struct { | |||
| CgroupParent string `mapstructure:"cgroup_parent"` | |||
| Command ShellCommand | |||
| ContainerName string `mapstructure:"container_name"` | |||
| CredentialSpec string `mapstructure:"credential_spec"` | |||
There was a problem hiding this comment.
@friism @dnephin @diogomonica Do we want to have the raw CredentialSpec here or should this be embedded in Privileges, like in the API?
There was a problem hiding this comment.
@aluzzardi we could embed, but you're never gonna use credential_spec with the selinux stuff anyway, so I don't see why.
friism
force-pushed
the
add-credspec-to-compose
branch
2 times, most recently
from
240af03
to
c1634bf
Compare
|
I've done a cursory test and this seems to work correctly. I'll test end-to-end Thursday. |
friism
force-pushed
the
add-credspec-to-compose
branch
from
c1634bf
to
8bfc673
Compare
|
rebased |
friism
force-pushed
the
add-credspec-to-compose
branch
2 times, most recently
from
d9c95c6
to
6972326
Compare
|
@dnephin can you take a look too? Should this go into 3.3 or 3.2? I'm trying to fix the build. |
friism
force-pushed
the
add-credspec-to-compose
branch
from
6972326
to
cd12fe1
Compare
|
I tested this end-to-end as in #32339, and it checks out |
friism
force-pushed
the
add-credspec-to-compose
branch
2 times, most recently
from
c995d33
to
307fee5
Compare
friism
force-pushed
the
add-credspec-to-compose
branch
from
307fee5
to
b80d3d5
Compare
|
If we are going to bump the compose file version, shouldn't we ideally add all the SELinux options that are part of #32339 instead of just |
|
I don't know what's customary. I can put it in v3.2 too.
|
cli/compose/convert/service.go
Outdated
| @@ -123,6 +131,7 @@ func convertService( | |||
| TTY: service.Tty, | |||
| OpenStdin: service.StdinOpen, | |||
| Secrets: secrets, | |||
| Privileges: &privileges, | |||
There was a problem hiding this comment.
I think it's better to leave Privileges as nil if there is nothing related to it specified in the compose file.
|
cc @shin- I guess we'd need to handle this in docker-compose as well |
friism
force-pushed
the
add-credspec-to-compose
branch
from
b80d3d5
to
74a9ecf
Compare
|
Code LGTM. I'm still wondering if we should support the other options that are being introduced simultaneously, but I'll leave that up to @dnephin. |
| ] | ||
| }, | ||
| "container_name": {"type": "string"}, | ||
| "credential_spec": {"type": "string"}, |
There was a problem hiding this comment.
I don't think this should be immediately in the service struct. We just went and removed a bunch of fields from the Compose format with the argument that we wanted things to be platform agnostic, so we can't go adding new ones back in.
I think we need to group these, something like this:
services:
foo:
...
platform:
windows:
credential_spec: ...
There was a problem hiding this comment.
See the discussion on the other PR; although this only is used by tasks/containers running on Windows, the manager you're connected to doesn't make this distinction. Similar to it being possible to set SELinux or AppArmor options, but they won't be consumed if the node it lands on doesn't have it enabled
There was a problem hiding this comment.
Yes, I have serious concerns with that design.
It's "not as bad" in the API, but from the Compose file is it s a problem.
If you specify an option in the compose file you expect it to do something. This has been a common issue reported by users. This is why we have the build and deploy sections, so it's clear when something might be ignored.
The same applies to these options. It needs to be clear from the config that the options only apply in some cases.
I believe the daemon ignores unsupported fields, so the user would never be informed that their settings are being ignored.
There was a problem hiding this comment.
I think that's a separate thing (and I agree - meant to open an issue for the, e.g. if "memory-limit" is not supported by the node, you'll never be aware of that.)
In a way, it's not non-functional, as in you're able to pass the definition; we can't explain everything in the file format itself
There was a problem hiding this comment.
We don't have to explain everything, just the important pieces.
There was a problem hiding this comment.
Same answer as with the API:
I hear you but I don't think that's the right move. Rather than grouping flags by functionality (e.g. Privileges), we'll end up with highly unrelated groups (e.g. tty next to selinux next to apparmor next to other stuff).
It's fine to have options that only apply to a platform, as long as it's documented.
Ultimately, flags will be supported on platforms where they are supported. You can set SELinux under Linux all you want, it's not because you are running Linux that it's going to work anyway (do you have selinux enabled in your system? the tooling installed? the daemon started with --selinux-enabled)?
friism
force-pushed
the
add-credspec-to-compose
branch
from
74a9ecf
to
2df1239
Compare
Signed-off-by: Michael Friis <friism@gmail.com>
friism
force-pushed
the
add-credspec-to-compose
branch
from
2df1239
to
1cd0575
Compare
|
Reviving this up /cc @diogomonica Should privileges (credentialspec, selinux) be top-level or nested under privileges? As I explained in #32393 (comment), I don't believe in platform nesting |
|
I think selinux should be under privileges, but credential spec shouldn't. |
|
@diogomonica ok, so since selinux is not part of this PR anyway, we should be good right? |
|
You know my feelings about credential spec ;) But I don't see a better way forward, so LGTM. |
|
|
||
| credentialSpec := swarm.CredentialSpec{} | ||
| switch { | ||
| case strings.HasPrefix(source, "file://"): |
There was a problem hiding this comment.
Can we just follow the swarm type for this instead of string parsing?
There was a problem hiding this comment.
I think it's fine to leave it as-is:
- it makes compose and cli more similar
- it's simpler to add additional schemes (I'm looking forward to
config, for example)
There was a problem hiding this comment.
I think it's (mostly) fine on the command line because having lots of flags that are basically the same is gross... however providing a strongly typed object which we are representing in the yaml format is much more desirable.
Otherwise we have to rely on the daemon to parse these strings.
|
Looks like we're ok on design, so moving to code review, but let me know if there are strong objections |
thaJeztah
added
status/2-code-review
impact/changelog
impact/cli
impact/documentation
and removed
status/1-design-review
labels
|
LGTM Unrelated to this PR:
Do you think that's true for the API as well? I nested them under |
|
@aluzzardi I think it's fine, but overall I would rather have credspec as a distinct thing from privileges everywhere. |
|
@friism needs rebase. |
|
rebase wont help. This needs to be re-opened against docker/cli |
|
Carrying in docker/cli#71 |
This is a follow-up PR to #32339