New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add credspec to compose #32393
Add credspec to compose #32393
Conversation
0aaece9
to
9bb3685
Compare
9bb3685
to
9a99888
Compare
cli/compose/types/types.go
Outdated
@@ -80,6 +80,7 @@ type ServiceConfig struct { | |||
CgroupParent string `mapstructure:"cgroup_parent"` | |||
Command ShellCommand | |||
ContainerName string `mapstructure:"container_name"` | |||
CredentialSpec string `mapstructure:"credential_spec"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@friism @dnephin @diogomonica Do we want to have the raw CredentialSpec
here or should this be embedded in Privileges
, like in the API?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aluzzardi we could embed, but you're never gonna use credential_spec with the selinux stuff anyway, so I don't see why.
240af03
to
c1634bf
Compare
I've done a cursory test and this seems to work correctly. I'll test end-to-end Thursday. |
c1634bf
to
8bfc673
Compare
rebased |
d9c95c6
to
6972326
Compare
@dnephin can you take a look too? Should this go into 3.3 or 3.2? I'm trying to fix the build. |
6972326
to
cd12fe1
Compare
I tested this end-to-end as in #32339, and it checks out |
c995d33
to
307fee5
Compare
307fee5
to
b80d3d5
Compare
If we are going to bump the compose file version, shouldn't we ideally add all the SELinux options that are part of #32339 instead of just |
I don't know what's customary. I can put it in v3.2 too.
|
cli/compose/convert/service.go
Outdated
@@ -123,6 +131,7 @@ func convertService( | |||
TTY: service.Tty, | |||
OpenStdin: service.StdinOpen, | |||
Secrets: secrets, | |||
Privileges: &privileges, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's better to leave Privileges
as nil if there is nothing related to it specified in the compose file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
cc @shin- I guess we'd need to handle this in docker-compose as well |
b80d3d5
to
74a9ecf
Compare
Code LGTM. I'm still wondering if we should support the other options that are being introduced simultaneously, but I'll leave that up to @dnephin. |
] | ||
}, | ||
"container_name": {"type": "string"}, | ||
"credential_spec": {"type": "string"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this should be immediately in the service struct. We just went and removed a bunch of fields from the Compose format with the argument that we wanted things to be platform agnostic, so we can't go adding new ones back in.
I think we need to group these, something like this:
services:
foo:
...
platform:
windows:
credential_spec: ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See the discussion on the other PR; although this only is used by tasks/containers running on Windows, the manager you're connected to doesn't make this distinction. Similar to it being possible to set SELinux or AppArmor options, but they won't be consumed if the node it lands on doesn't have it enabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I have serious concerns with that design.
It's "not as bad" in the API, but from the Compose file is it s a problem.
If you specify an option in the compose file you expect it to do something. This has been a common issue reported by users. This is why we have the build
and deploy
sections, so it's clear when something might be ignored.
The same applies to these options. It needs to be clear from the config that the options only apply in some cases.
I believe the daemon ignores unsupported fields, so the user would never be informed that their settings are being ignored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that's a separate thing (and I agree - meant to open an issue for the, e.g. if "memory-limit" is not supported by the node, you'll never be aware of that.)
In a way, it's not non-functional, as in you're able to pass the definition; we can't explain everything in the file format itself
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't have to explain everything, just the important pieces.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same answer as with the API:
I hear you but I don't think that's the right move. Rather than grouping flags by functionality (e.g. Privileges), we'll end up with highly unrelated groups (e.g. tty next to selinux next to apparmor next to other stuff).
It's fine to have options that only apply to a platform, as long as it's documented.
Ultimately, flags will be supported on platforms where they are supported. You can set SELinux under Linux all you want, it's not because you are running Linux that it's going to work anyway (do you have selinux enabled in your system? the tooling installed? the daemon started with --selinux-enabled)?
74a9ecf
to
2df1239
Compare
Signed-off-by: Michael Friis <friism@gmail.com>
2df1239
to
1cd0575
Compare
Reviving this up /cc @diogomonica Should privileges (credentialspec, selinux) be top-level or nested under privileges? As I explained in #32393 (comment), I don't believe in platform nesting |
I think selinux should be under privileges, but credential spec shouldn't. |
@diogomonica ok, so since selinux is not part of this PR anyway, we should be good right? |
You know my feelings about credential spec ;) But I don't see a better way forward, so LGTM. |
|
||
credentialSpec := swarm.CredentialSpec{} | ||
switch { | ||
case strings.HasPrefix(source, "file://"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we just follow the swarm type for this instead of string parsing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's fine to leave it as-is:
- it makes compose and cli more similar
- it's simpler to add additional schemes (I'm looking forward to
config
, for example)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's (mostly) fine on the command line because having lots of flags that are basically the same is gross... however providing a strongly typed object which we are representing in the yaml format is much more desirable.
Otherwise we have to rely on the daemon to parse these strings.
Looks like we're ok on design, so moving to code review, but let me know if there are strong objections |
LGTM Unrelated to this PR:
Do you think that's true for the API as well? I nested them under |
@aluzzardi I think it's fine, but overall I would rather have credspec as a distinct thing from privileges everywhere. |
@friism needs rebase. |
rebase wont help. This needs to be re-opened against docker/cli |
Carrying in docker/cli#71 |
This is a follow-up PR to #32339