-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Capabilities support in swarm mode #4684
Comments
A "me too" from the person who raised in docker/cli#2893. Docker 20.10 introduced the ability to add/remove capabilities with swarm. When deploying a stack that uses capabilities (e..g When deploying the same compose-file with Portainer, the capabilities are not added (confirmed using |
FYI this is earmarked in our 2.2 release (end of March 2021). We'll tackle this in two points:
|
Just a FYI: the issue reported in docker/cli#2893 should now be fixed in current versions of Docker Desktop |
@deviantony Did this get picked up in the 2.5.0 release? I'm still seeing the same behavior in 2.5.0, and wanted to check if the fix was implemented before troubleshooting further. |
@davehope this did not make it into 2.5.0 and we don't have any ETA yet, sorry. We'll probably bump up the Compose format version as a first step to support this via stack deployment first. |
Additionally when a service is deployed manually with the capability but is then updated through Portainer, the capability is lost. I presume this is the cause. |
We're now up to Portainer 2.6.0. I still can't do this on a Swarm/Stack. Is there any workaround for this? |
@grehund in my case I run |
I am doing the same with my fail2ban service. I can confirm it is working, but definitely not convenient |
I hope this will be fixed soon as it looks like when you deploy the stack Portainer it's removing the capability section from the stack, which otherwise will work correctly if deployed. After more than 6 months I think it's time to correct what it's should be called a bug now. |
I was amazed to find that swarm supports capabilities but then really sad for portainer not keeping up. After bumping into this thread, I've wrapped up a little helper, portainer-capability-manager, I hope it might be useful for someone else 🤗 |
This is really amazing, thank you for sharing you temporary fix. I hope the Portainer team will fix this bug soon anyway. |
Is there any update? This is making VPN servers and debuggers clumsy to use in Docker. Thanks |
Yes, the issue still exists in 2.9.3 |
2.11.0 and issue still exists. |
This looks the same as an issue I have with another service. Is this due to alpine container that portainer uses not having >20.10 docker cli? |
Any updates on this issue? It is almost a year old now. |
20.10.12 and still here. |
Portainer 2.11.1 here, and still the same issue. I'm actually glad I found this thread after an afternoon trying to get it to work. This is especially helpful for people wanting to run on SBC like Raspberry pi. I hope this get fixed soon. |
You are a saint! ❤️ Portainer team, hello there. Docker swarm mode has had this since 20.10.0, please do add support for it in portainer. |
Thanks for the workaround! Bumping issue |
when is this available please? |
+1 for this feature |
1 similar comment
+1 for this feature |
Looks like it is finally working in 2.14 (CE), due to: I deployed linuxserver.io wireguard image (https://docs.linuxserver.io/images/docker-wireguard) on my Swarm (slightly modified, had to change version to 3):
|
Very cool. I gave up on wireguard in Swarm because I couldn't figure out how to send another container's traffic through it. |
@MadsBen thanks for posting. Portainer 2.14 addressed this for me too. @deviantony this can be closed now, thanks! |
I am potentially still having an issue with cap_add: - NET_ADMIN in a Swarm Stack on Portainer 2.14. Currently troubleshooting. |
It works in a Standalone Container, but NOT a Stack on Portainer 2.14... maybe I am misunderstanding something. |
@grehund
|
Yep, that's what I had in my compose file. Not sure why it won't work, but I assume it's something with the image I'm using, rather than Portainer. |
also working here, tested with 3 different swarm services (wireguard and two using bluetooth), thank you for sharing @MadsBen ! |
Hey all, Question, it's working on my end as well but in a swarm config, network_mode I think it is, is ignored. So in short, does anyone have any guidance on how we route traffic through a VPN container? If this is a different topic that's not directly related, just let me know and I'll create a different post :) |
@Shady0xfee1dead I think that plain doesn't work / is not supported. So while we can run a wireguard in a docker swarm mode container, we cannot (in a supported way, or possibly any way) route other containers' traffic through it. |
This has been addressed via the upgrade of the Compose binary in 2.14, closing this thread now. If you have any problem with this feature, please open a new issue. |
Thanks for the update in this! @deviantony I propose to reopen this issue. It is now possible to use capabilities in compose files. But it is still not possible to use them in a service configured via the Portainer frontend (Services -> Add service). This requires me to create all services which use the capabilities via the docker cli, because services cannot be launched from compose files in the Portainer frontend. |
Is your feature request related to a problem? Please describe.
At present it does not look like
cap_add
andcap_drop
are supported via stack deploy on the ui when running in swarm mode.When including this via compose yaml, the service will run but without the configured capabilities present.
As of docker-ce 20.10 these are now implemented up stream, and the service can be corrected via cli e.g
docker service update --cap-add NET_ADMIN someservicename
Describe the solution you'd like
Support cap_add within portainer stack deployment.
Describe alternatives you've considered
n/a
Additional context
This -may- be related to an issue highlighted over on the docker-ce repository here:
docker/cli#2893
portainer version tested: v2.0.0
The text was updated successfully, but these errors were encountered: