Capabilities support in swarm mode

[cbrherms]

Is your feature request related to a problem? Please describe.

At present it does not look like cap_add and cap_drop are supported via stack deploy on the ui when running in swarm mode.
When including this via compose yaml, the service will run but without the configured capabilities present.
As of docker-ce 20.10 these are now implemented up stream, and the service can be corrected via cli e.g
docker service update --cap-add NET_ADMIN someservicename

Describe the solution you'd like
Support cap_add within portainer stack deployment.

Describe alternatives you've considered
n/a

Additional context
This -may- be related to an issue highlighted over on the docker-ce repository here:
docker/cli#2893

portainer version tested: v2.0.0

[davehope]

A "me too" from the person who raised in docker/cli#2893.

Docker 20.10 introduced the ability to add/remove capabilities with swarm.

When deploying a stack that uses capabilities (e..g docker stack deploy --compose-file xxx.yml) the capabilities are correctly applied.

When deploying the same compose-file with Portainer, the capabilities are not added (confirmed using docker inspect xxx | jq '.[0].Spec.TaskTemplate.ContainerSpec.CapabilityAdd').

[deviantony]

FYI this is earmarked in our 2.2 release (end of March 2021).

We'll tackle this in two points:

• Add support for stacks that uses capabilities by upgrading the Docker binary to the latest version
• Update the Swarm services UI/UX to support capabilities

[thaJeztah]

Just a FYI: the issue reported in docker/cli#2893 should now be fixed in current versions of Docker Desktop

[davehope]

@deviantony Did this get picked up in the 2.5.0 release?

I'm still seeing the same behavior in 2.5.0, and wanted to check if the fix was implemented before troubleshooting further.

[deviantony]

@davehope this did not make it into 2.5.0 and we don't have any ETA yet, sorry. We'll probably bump up the Compose format version as a first step to support this via stack deployment first.

[john8329]

Additionally when a service is deployed manually with the capability but is then updated through Portainer, the capability is lost. I presume this is the cause.

[grehund]

We're now up to Portainer 2.6.0. I still can't do this on a Swarm/Stack. Is there any workaround for this?

[john8329]

@grehund in my case I run docker service update --cap-add NET_ADMIN [service name] every time I update the service via the GUI. Not 100% sure it works, still testing it.

[GeoCookie]

I am doing the same with my fail2ban service. I can confirm it is working, but definitely not convenient

[lettore]

I hope this will be fixed soon as it looks like when you deploy the stack Portainer it's removing the capability section from the stack, which otherwise will work correctly if deployed. After more than 6 months I think it's time to correct what it's should be called a bug now.

[fopina]

I was amazed to find that swarm supports capabilities but then really sad for portainer not keeping up.

After bumping into this thread, I've wrapped up a little helper, portainer-capability-manager, I hope it might be useful for someone else 🤗

[lettore]

I was amazed to find that swarm supports capabilities but then really sad for portainer not keeping up.

After bumping into this thread, I've wrapped up a little helper, portainer-capability-manager, I hope it might be useful for someone else 🤗

This is really amazing, thank you for sharing you temporary fix. I hope the Portainer team will fix this bug soon anyway.

[john8329]

Is there any update? This is making VPN servers and debuggers clumsy to use in Docker. Thanks

[MadsBen]

Yes, the issue still exists in 2.9.3

[kimdre]

2.11.0 and issue still exists.

[gitdeath]

This looks the same as an issue I have with another service. Is this due to alpine container that portainer uses not having >20.10 docker cli?

containrrr/shepherd#62 (comment)

[devantler]

Any updates on this issue? It is almost a year old now.
Currently, it isn't enjoyable when setting up VPN, DNS, or relying on other services that require capabilities. It would be nice if it was prioritized, as new users to Portainer (myself included) are in for a headache when expecting that anything docker will work in Portainer.

[GitHK]

20.10.12 and still here.

[luvxinh]

Portainer 2.11.1 here, and still the same issue.

I'm actually glad I found this thread after an afternoon trying to get it to work.

This is especially helpful for people wanting to run on SBC like Raspberry pi. I hope this get fixed soon.

[yorickdowne]

I was amazed to find that swarm supports capabilities but then really sad for portainer not keeping up.

After bumping into this thread, I've wrapped up a little helper, portainer-capability-manager, I hope it might be useful for someone else 🤗

You are a saint! ❤️

Portainer team, hello there. Docker swarm mode has had this since 20.10.0, please do add support for it in portainer.

[to0w1r3d]

I was amazed to find that swarm supports capabilities but then really sad for portainer not keeping up.

After bumping into this thread, I've wrapped up a little helper, portainer-capability-manager, I hope it might be useful for someone else 🤗

Thanks for the workaround! Bumping issue

[carlvaneijk]

when is this available please?

[manfredrotzetter]

+1 for this feature

[Shady0xfee1dead]

+1 for this feature

[MadsBen]

Looks like it is finally working in 2.14 (CE), due to:
#6994

I deployed linuxserver.io wireguard image (https://docs.linuxserver.io/images/docker-wireguard) on my Swarm (slightly modified, had to change version to 3):

redacted@redacted:~$ docker inspect testtest_wireguard | jq '.[0].Spec.TaskTemplate.ContainerSpec.CapabilityAdd'
[
  "CAP_NET_ADMIN",
  "CAP_SYS_MODULE"
]

[yorickdowne]

Very cool. I gave up on wireguard in Swarm because I couldn't figure out how to send another container's traffic through it.

[davehope]

@MadsBen thanks for posting. Portainer 2.14 addressed this for me too.

@deviantony this can be closed now, thanks!

[grehund]

I am potentially still having an issue with cap_add: - NET_ADMIN in a Swarm Stack on Portainer 2.14. Currently troubleshooting.

[grehund]

I am potentially still having an issue with cap_add: - NET_ADMIN in a Swarm Stack on Portainer 2.14. Currently troubleshooting.

It works in a Standalone Container, but NOT a Stack on Portainer 2.14... maybe I am misunderstanding something.

[davehope]

@grehund
I'm using swarm, and CAP_NET_ADMIN gets added, not much to it for me:

version: '3.7'
services:
  whatever:
    image: whatever
    cap_add:
      - NET_ADMIN

root@SRVDCK01:~# docker inspect whatever_whatever | jq '.[0].Spec.TaskTemplate.ContainerSpec.CapabilityAdd'                          [
  "CAP_NET_ADMIN"
]
root@SRVDCK01:~# docker -v
Docker version 20.10.17, build 100c701

[grehund]

@grehund I'm using swarm, and CAP_NET_ADMIN gets added, not much to it for me:

version: '3.7'
services:
  whatever:
    image: whatever
    cap_add:
      - NET_ADMIN

Yep, that's what I had in my compose file. Not sure why it won't work, but I assume it's something with the image I'm using, rather than Portainer.

[fopina]

also working here, tested with 3 different swarm services (wireguard and two using bluetooth), thank you for sharing @MadsBen !

[Shady0xfee1dead]

Hey all,

Question, it's working on my end as well but in a swarm config, network_mode I think it is, is ignored. So in short, does anyone have any guidance on how we route traffic through a VPN container? If this is a different topic that's not directly related, just let me know and I'll create a different post :)

[yorickdowne]

@Shady0xfee1dead I think that plain doesn't work / is not supported. So while we can run a wireguard in a docker swarm mode container, we cannot (in a supported way, or possibly any way) route other containers' traffic through it.

[deviantony]

This has been addressed via the upgrade of the Compose binary in 2.14, closing this thread now. If you have any problem with this feature, please open a new issue.

[jovobe]

Thanks for the update in this!

@deviantony I propose to reopen this issue. It is now possible to use capabilities in compose files. But it is still not possible to use them in a service configured via the Portainer frontend (Services -> Add service). This requires me to create all services which use the capabilities via the docker cli, because services cannot be launched from compose files in the Portainer frontend.