add cli integration for unconfined systempaths

[martencassel]

- What I did
I've implemented the proposed changes in #1347 (comment).
- Description for the changelog
Added --security-opt systempaths=unconfined support.

[codecov-io]

Codecov Report

Merging #1808 into master will decrease coverage by <.01%.
The diff coverage is 47.05%.

@@            Coverage Diff             @@
##           master    #1808      +/-   ##
==========================================
- Coverage   56.31%   56.31%   -0.01%     
==========================================
  Files         308      308              
  Lines       21391    21408      +17     
==========================================
+ Hits        12047    12055       +8     
- Misses       8465     8472       +7     
- Partials      879      881       +2

[codecov-io]

Codecov Report

Merging #1808 into master will increase coverage by 0.02%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1808      +/-   ##
==========================================
+ Coverage   56.31%   56.34%   +0.02%     
==========================================
  Files         308      308              
  Lines       21391    21403      +12     
==========================================
+ Hits        12047    12059      +12     
  Misses       8465     8465              
  Partials      879      879

[thaJeztah]

Thanks for working on this! I left some comments and suggestions inline.

[thaJeztah]

nit: could be;

Suggested change

	var readonlyPaths []string
	var maskedPaths , readonlyPaths []string

[thaJeztah]

Looks like we don't need the split (and don't strip whitespace etc) at this point, so this could be simplified to

Suggested change

	if con[0] == "systempaths" && con[1] == "unconfined" {
	if opt == "systempaths=unconfined" {

[thaJeztah]

I see we never return an error; although it's good practice to keep this signature, this function is not exported, so I think it's ok to drop the error return for now, and remove this error-handling

[thaJeztah]

I realise this function is not exported, but it might be important to document what it does (especially because it filters the securityOpts; perhaps add a short GoDoc; something along the line of:

Suggested change

	func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) {
	// parseSystemPaths checks if `systempaths=unconfined` security option is set,
	// and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated
	// list of security options is returned with this option removed, because the
	// `unconfined` option is handled client-side, and should not be sent to the
	// daemon.
	func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) {

(suggestions for better wording welcome! 😂)

Although I'm generally not a fan of named return variables, I'm a bit on the fence if we should use them here (for readability), as three []string returns might be difficult to read/grasp;

Suggested change

	func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) {
	func parseSystemPaths(securityOpts []string) (filtered, maskedPaths, readonlyPaths []string) {

I'd love to get feedback from others in that as well though 😅

[thaJeztah]

Would be good to test other combinations (i.e., make sure if doesn't touch other values if not set, and that invalid/unknown options are ignored; quick write-up for that;

func TestParseSystemPaths(t *testing.T) {
	tests := []struct {
		doc                       string
		in, out, masked, readonly []string
	}{
		{
			doc: "not set",
			in:  []string{},
			out: []string{},
		},
		{
			doc: "not set, preserve other options",
			in: []string{
				"seccomp=unconfined",
				"apparmor=unconfined",
				"label=user:USER",
				"foo=bar",
			},
			out: []string{
				"seccomp=unconfined",
				"apparmor=unconfined",
				"label=user:USER",
				"foo=bar",
			},
		},
		{
			doc:      "unconfined",
			in:       []string{"systempaths=unconfined"},
			out:      []string{},
			masked:   []string{},
			readonly: []string{},
		},
		{
			doc:      "unconfined and other options",
			in:       []string{"foo=bar", "systempaths=unconfined", "bar=baz"},
			out:      []string{"foo=bar", "bar=baz"},
			masked:   []string{},
			readonly: []string{},
		},
		{
			doc: "unknown option",
			in:  []string{"foo=bar", "systempaths=unkown", "bar=baz"},
			out: []string{"foo=bar", "systempaths=unkown", "bar=baz"},
		},
	}

	for _, tc := range tests {
		securityOpts, maskedPaths, readonlyPaths, err := parseSystemPaths(tc.in)
		assert.NilError(t, err)
		assert.DeepEqual(t, securityOpts, tc.out)
		assert.DeepEqual(t, maskedPaths, tc.masked)
		assert.DeepEqual(t, readonlyPaths, tc.readonly)
	}
}

[thaJeztah]

ping @tiborvass @jessfraz PTAL 🤗

[martencassel]

I've implemented your suggested changes. I will change unkown to unknown, linting failed on that.

[thaJeztah]

Oh! The linter detected my typo 😂

[thaJeztah]

Oh! when you're updating, could you fix your sign-off to use your real name (instead of your github handle)?

martencassel <[email protected]>

Guessing it's Marten Cassel, so should then be:

Marten Cassel <[email protected]>

[thaJeztah]

thanks! LGTM after the sign-off is updated 😅

[martencassel]

Updated commit sign-off.

[thaJeztah]

LGTM!

After this, we'll have to update the (reference) docs to mention the new option, and check if the compose-file format needs changes to accommodate (swarm services not yet support this option, so for docker-compose standalone)

[AkihiroSuda]

ping @tiborvass @jessfraz

[PhilippWendler]

It seems the documentation / https://docs.docker.com/reference/cli/docker/container/run/#security-opt was forgotten to be updated and this option remains undocumented. Could this be added to the docs?