Skip to content

/ cli

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zsh completion: complete capabilities after --cap-{add,drop} #2485

Open
wants to merge 4 commits into
base: master
from
Open

zsh completion: complete capabilities after --cap-{add,drop} #2485

wants to merge 4 commits into from

Conversation

@pseyfert
Copy link

@pseyfert pseyfert commented May 1, 2020

- What I did

Add a new zsh function to the completion file contrib/completion/zsh/_docker.

The bulk of the function is copy and paste from the documentation of
--cap-add (Subject to review: I barely read through them, assuming the docs on the web are a good initial version. I did not investigate if the list of capabilities can be obtained in an automated manner.).

The function is called when tab completing docker run --cap-add= (or drop).

The suggested completion should look like that (depending on a user's configuration of zsh's tab completion):

>> docker run --cap-add=
special capability value:
ALL  -- enable/disable all capabilities
off by default capabilities:
AUDIT_CONTROL    -- Enable and disable kernel auditing; change auditing filter rules; retrieve auditing st
BLOCK_SUSPEND    -- Employ features that can block system suspend.
DAC_READ_SEARCH  -- Bypass file read permission checks and directory read and execute permission checks.
IPC_LOCK         -- Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).
...

The function checks:

  • if --cap-add or --cap-drop is completed. In the former case, off-by-default capabilities are suggested. In the latter case on-by-default capabilities are suggested (I took that idea from the bash completion).

  • if --cap-add=ALL or --cap-drop=ALL are present on the current command line. If --cap-add=ALL is present in the command line, then --cap-drop= will also suggest off-by-default capabilities (and vice versa). This should look something like that:

special capability value:
ALL  -- enable/disable all capabilities
on by default capabilities:
AUDIT_WRITE       -- Write records to kernel auditing log.
CHOWN             -- Make arbitrary changes to file UIDs and GIDs (see chown(2)).
...
off by default capabilities:
AUDIT_CONTROL    -- Enable and disable kernel auditing; change auditing filter rules; retrieve auditing st
BLOCK_SUSPEND    -- Employ features that can block system suspend.
DAC_READ_SEARCH  -- Bypass file read permission checks and directory read and execute permission checks.
...

The function does not check any other already-present settings of --cap-add. I.e. docker run --cap-add=BLOCK_SUSPEND --cap-add=<TAB> will still suggest BLOCK_SUSPEND as option.
(Subject for discussion. My impression is it's not worth increasing the complexity of the completion function for such a corner case.)

- How I did it

Sticking to zsh's builtin features. I use the opt_args associative array to
detect what's already specified in --cap-add on the command line. If the
option is given multiple times, $opt_args[--cap-add] will be colon separated.
I didn't add any logic to handle that case but rely on *ALL* matching exactly
the ALL value and ALL doesn't occur in any other capability.

- How to verify it

Typed interactively a few examples

docker run --cap-add=<TAB>

docker run --cap-drop=<TAB>

docker run --cap-add=ALL --cap-drop=<TAB>

docker run --cap-add=DAC_READ_SEARCH --cap-add=ALL --cap-add=MAC_OVERRIDE --cap-drop=<TAB>

- Description for the changelog

Add suggestions for docker run --cap-{add,drop}=<TAB> in the zsh completion

- A picture of a cute animal (not mandatory but encouraged)

DSC_7596
@pseyfert pseyfert force-pushed the pseyfert:zsh-complete-capabilities branch from c4b3de5 to 038b129 May 4, 2020
pseyfert added 2 commits May 1, 2020
@pseyfert
zsh completion: complete capabilities after --cap-{add,drop}
c00e9f5 
Possible values and descriptions are taken from
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
The distinction of default-on and default-off capabilities is inspired
by the bash completion. A small check if --cap-{add,drop}=ALL is present
in the command line is done, if so all capabilities (regardless of their
default) are suggested. No other clever behaviour is added (i.e. a
capability that's already added will be suggested again in --cap-add=).

Signed-off-by: Paul Seyfert <pseyfert.mathphys@gmail.com>
@pseyfert
zsh completion: fixup detection of --cap-{add,drop}=ALL
Loading status checks…
038b129 
Signed-off-by: Paul Seyfert <pseyfert.mathphys@gmail.com>
@thaJeztah
thaJeztah requested changes May 7, 2020
View changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Thanks! I left a comment with some suggestions
contrib/completion/zsh/_docker Outdated
# list and description taken from https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
local -a default_off_capabilities default_on_capabilities all_capabilities
default_off_capabilities=(
"SYS_MODULE:Load and unload kernel modules."

This comment has been minimized.

Sign in to view
@thaJeztah

thaJeztah May 7, 2020
Member

Could you

This comment has been minimized.

Sign in to view
@pseyfert

pseyfert May 7, 2020
edited
Author

sort alphabetically

sure

add ALL to the list

not sure i understand the suggestion. in line 264 and 265 ALL gets added to the suggestions in any case, so I handle this special capability separate instead of adding it to both lists. Did you overlook that or do you suggest dropping the special treatment and adding ALL to the default_off and default_on lists?

double check against bash

will do

change the names

I like your suggestion

This comment has been minimized.

Sign in to view
@pseyfert

pseyfert May 7, 2020
Author

✓ sorted alphabetically
✓ compared against bash: the only difference I spotted is that my alphabetic sorting put SYSLOG into a different position
✓ renamed the arrays (and rephrased the labels)
→ waiting for clarification on ALL. I thought back why I treated ALL separately in the first draft. I had decided in favor of that when I was considering to obtain the list of capabilities in an automated way rather than hardcoding them. Since I didn't go for that, the reason for three instead of two arrays is gone. Having a "suggest for drop" "suggest for add" and "suggest always" list kind of eases things up when completing docker run --cap-add=ALL --cap-drop= (because then ALL doesn't appear twice in the suggestions (in the "droppable (on by default)" and the "droppable (enabled through ALL)") but if you prefer two lists for other reasons that's fine with me
@pseyfert
zsh completion: review suggestions
Loading status checks…
09d423b 
Signed-off-by: Paul Seyfert <pseyfert.mathphys@gmail.com>
@pseyfert
Copy link
Author

@pseyfert pseyfert commented Sep 16, 2020

ping?
@pseyfert pseyfert requested a review from thaJeztah Sep 16, 2020
@pseyfert pseyfert force-pushed the pseyfert:zsh-complete-capabilities branch from 601eeb5 to 44328d8 Sep 16, 2020
@pseyfert
add missing capabilities
Loading status checks…
44328d8 
this picks completions added in #2723 and #2726 to the bash completion.

Signed-off-by: Paul Seyfert <pseyfert.mathphys@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thaJeztah thaJeztah

Assignees
No one assigned
Labels
area/completion status/2-code-review
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
@pseyfert @thaJeztah
You can’t perform that action at this time.