Add support for ambient capabilities

[justincormack]

This change was reverted for docker 1.13 (see #27737)

Linux kernel 4.3 and later supports "ambient capabilities" which are the
only way to pass capabilities to containers running as a non root uid.

Previously there was no way to allow containers not running as root
capabilities in a useful way.

Fix #8460

Signed-off-by: Justin Cormack justin.cormack@docker.com

NOTE: actual runc update was included in #27160 so this is just a docs and tests change now.

NOTE: This will grant the default capabilities to containers that are run as a non root user. This might be surprising, for example we grant cap_chown by default, so with this PR docker run -u 1000 busybox chown 100 /tmp will just work. We could grant fewer capabilities to containers not running as root, by default, but this might break users who expect sudo chown ... to work. In general as running as non root is strictly better than running as root, I think it is best to leave this, as the default capabilities are mostly harmless, and I am planning other patches to allow reducing the default capability set globally. Open to discussion on this.

Chill Out with Ambient Capabilities

[justincormack]

cc @mrunalp @crosbymichael

[cpuguy83]

ping @tianon too

[thaJeztah]

Should we have a failing test as well, to verify that it won't work without this?

[justincormack]

Done

[justincormack]

The test failures look like they are related to other changes in runc, I will look at them seperately.

[mrunalp]

I tested this and it works fine for me 👍

[jeremyeder]

@mrunalp Ambient Capabilities are available in RHEL7.3.

[mrunalp]

@jeremyeder Awesome. I had only tested on RHEL 7.2 and wasn't sure about status in 7.3

[thaJeztah]

This now needs to be moved somewhere in the https://github.com/docker/docker.gihub.io repository (I'm ok with keeping it here as well, as that repository does not yet have docs for 1.13 it seems)

[thaJeztah]

LGTM

[crosbymichael]

LGTM

[thaJeztah]

Given that there's no docs for 1.13 yet in the https://github.com/docker/docker.gihub.io repository, I'm moving this to "merge". There'll probably be a sync with that repository in the near future.

/cc @johndmulhausen @mstanleyjones

[mdlinville]

I got this into the vnext-engine branch on docker/docker.github.io repository, which is where new features for Engine should now be documented. That branch currently has all doc-related commits in docker/docker master up to SHA1 4331b62.

[thaJeztah]

@mstanleyjones I was about to open a pull request to revert the documentation changes in this PR, but I cannot find these changes in your sync of october 10th; https://github.com/docker/docker.github.io/blob/e4bce35ac2d2963e0f52414ca98742c60e8df510/engine/security/seccomp.md

Should we check if things got lost in that sync?

[mdlinville]

Merged #584 which addresses @thaJeztah comment above. Thanks!