Add support for `--cap-add` arguments

[dramikei]

Is your feature request related to a problem? Please describe. Yes, currently Caprover does not support parsing of --cap-add in its yml mainly because support for --cap-add was missing in docker swarm which caprover uses (refer: #683). Adding --cap-add would enable many more one-click-apps to be built for CapRover such as caprover/one-click-apps#222 and Wireguard.

Describe the solution you'd like Support for cap-add was added in docker swarm 20.10.0 refer: docker/cli#2687. Therefore, CapRover only needs to implement the parsing of cap-add in the one-click-apps yml and implement the necessary functions to get it working.

Describe alternatives you've considered Alternative solutions to this prior to docker/cli#2687 were running the apps in a 'hacky' way which were more mere workarounds and probably had security concerns (And therefore were not promoted).

Additional context docker/cli#2687 moby/moby#25885 how to set linux capabilities on docker swarm mode (Check the 2nd answer)

[githubsaturn]

CapRover currently uses v1.40 API to talk to Docker. CapabilityAdd is added in 1.41.

Until we make a breaking change and up the requirement to 1.41, users can manually add the capability using cli:

docker service update --cap-add SOMETHING srv-captain--yourappname 

[dramikei]

Okay Would be a bit user-unfriendly until CapRover updates API but that shouldnt hinder one-click-apps development :)

[amircloner]

can use --cap-add in Pre-Deploy Script or Service Update Override

[Alfagun74]

CapRover currently uses v1.40 API to talk to Docker. CapabilityAdd is added in 1.41.

Until we make a breaking change and up the requirement to 1.41, users can manually add the capability using cli:

docker service update --cap-add SOMETHING srv-captain--yourappname 

Is this a permanent solution? Does the Cap-Add Still exist on restart etc.?

[Alfagun74]

I just tested and it is not a permanent solution. How would you solve this forever @githubsaturn ? Why wont we just update Caprovers Docker Swarm API to 1.4.1 to support this feature?

[githubsaturn]

--cap-add should persist after restarts. Did you double check after running docker service inspect ?

[Alfagun74]

as soon as i update an environment variable or my app the cap-add is gone. The update to 1.4.1 API would really help me.

[ronaldloyko]

can use --cap-add in Pre-Deploy Script or Service Update Override

Unfortunately, using Service Update Override does not work for me.

I did the following steps to test:

1) Go to [Your App Name] > App Configs 2) Add following content to Service Update Override:

{
  "TaskTemplate": {
    "ContainerSpec": {
      "Env": ["A=1"],
      "CapabilityAdd": ["CAP_NET_ADMIN", "CAP_SYS_ADMIN"]
    }
  }
}

3) Run command docker service inspect [Your App Name]

The Env is added but not CapabilityAdd. Docker version is Docker version 20.10.18, build b40c2f6.

I think this is also related to the fact that CapRover still uses the v1.40 API.

[Alfagun74]

can use --cap-add in Pre-Deploy Script or Service Update Override

Unfortunately, using Service Update Override does not work for me.

I did the following steps to test:

1) Go to [Your App Name] > App Configs 2) Add following content to Service Update Override:

{
  "TaskTemplate": {
    "ContainerSpec": {
      "Env": ["A=1"],
      "CapabilityAdd": ["CAP_NET_ADMIN", "CAP_SYS_ADMIN"]
    }
  }
}

3) Run command docker service inspect [Your App Name]

The Env is added but not CapabilityAdd. Docker version is Docker version 20.10.18, build b40c2f6.

Yeah because the API Caprover uses is still outdated. It doesn't know CapAdd yet.

[githubsaturn]

That's correct. But you can manually change the API version via config override.

The variable to update is dockerApiVersion

[Alfagun74]

What is keeping you from updating it for everyone?

[githubsaturn]

I will in the next version. What kept me from updating it so far: the chaos it caused as lots of instances across the globe went offline because people didn't read update notes and they had an outdated Docker engine.

We should be fine in the next version as it's been almost 2 years since 1.41 is released

[ronaldloyko]

Hi @githubsaturn Thanks for clarifying.

I'm currently creating several one-click-apps that would require CapabilityAdd (like OpenVPN, Mailu etc.) I would add a warning to instructions.start indicating that API v1.4.1 is required and also briefly explain how to set it via the config override you mentioned. And in instructions.end I would instruct to add the CapabilityAdd bit to the Service Update Override. Are you ok with already adding them to CapRover's one-click-apps repository?

Otherwise, I would set up a seperate repository that users can add in the meantime until the API is updated in CapRover. Once it is updated, I would then transfer the apps to the official repository.

[Alfagun74]

Hi @githubsaturn Thanks for clarifying.

I'm currently creating several one-click-apps that would require CapabilityAdd (like OpenVPN, Mailu etc.) I would add a warning to instructions.start indicating that API v1.4.1 is required and also briefly explain how to set it via the config override you mentioned. And in instructions.end I would instruct to add the CapabilityAdd bit to the Service Update Override. Are you ok with already adding them to CapRover's one-click-apps repository?

Otherwise, I would set up a seperate repository that users can add in the meantime until the API is updated in CapRover. Once it is updated, I would then transfer the apps to the official repository.

Instead of building all kind of warnings and crutches into the next Version, it would be smarter to make it work with 1.41 wouldn't it?

[ronaldloyko]

Hi @githubsaturn Thanks for clarifying. I'm currently creating several one-click-apps that would require CapabilityAdd (like OpenVPN, Mailu etc.) I would add a warning to instructions.start indicating that API v1.4.1 is required and also briefly explain how to set it via the config override you mentioned. And in instructions.end I would instruct to add the CapabilityAdd bit to the Service Update Override. Are you ok with already adding them to CapRover's one-click-apps repository? Otherwise, I would set up a seperate repository that users can add in the meantime until the API is updated in CapRover. Once it is updated, I would then transfer the apps to the official repository.

Instead of building all kind of warnings and crutches into the next Version, it would be smarter to make it work with 1.41 wouldn't it?

I was talking about the one-click-apps that I'm going to contribute, not about CapRover itself.

[githubsaturn]

Hi @githubsaturn Thanks for clarifying.

I'm currently creating several one-click-apps that would require CapabilityAdd (like OpenVPN, Mailu etc.) I would add a warning to instructions.start indicating that API v1.4.1 is required and also briefly explain how to set it via the config override you mentioned. And in instructions.end I would instruct to add the CapabilityAdd bit to the Service Update Override. Are you ok with already adding them to CapRover's one-click-apps repository?

Otherwise, I would set up a seperate repository that users can add in the meantime until the API is updated in CapRover. Once it is updated, I would then transfer the apps to the official repository.

Yea that sounds good. Once the API is leveled up, we can change the instructions.

[guilh22]

I added cap_add ability to caprover. It is under review https://github.com/caprover/caprover/pull/2103 https://github.com/caprover/caprover-frontend/pull/151

@ronaldloyko your template should work without template change. You will be able to remove the docker api version change instruction and the service update override part.