mirror of https://github.com/coder/coder.git
feat: modify agent install script to give `CAP_NET_ADMIN` if available (#9908)
This commit is contained in:
parent
2a19b46ab7
commit
39846d69d3
|
@ -272,6 +272,7 @@ resource "docker_container" "workspace" {
|
|||
runtime = "sysbox-runc"
|
||||
env = [
|
||||
"CODER_AGENT_TOKEN=${coder_agent.dev.token}",
|
||||
"USE_CAP_NET_ADMIN=true",
|
||||
]
|
||||
host {
|
||||
host = "host.docker.internal"
|
||||
|
@ -282,6 +283,9 @@ resource "docker_container" "workspace" {
|
|||
volume_name = docker_volume.home_volume.name
|
||||
read_only = false
|
||||
}
|
||||
capabilities {
|
||||
add = ["CAP_NET_ADMIN", "CAP_SYS_NICE"]
|
||||
}
|
||||
# Add labels in Docker to keep track of orphan resources.
|
||||
labels {
|
||||
label = "coder.owner"
|
||||
|
|
|
@ -187,6 +187,7 @@ resource "docker_container" "workspace" {
|
|||
volume_name = docker_volume.home_volume.name
|
||||
read_only = false
|
||||
}
|
||||
|
||||
# Add labels in Docker to keep track of orphan resources.
|
||||
labels {
|
||||
label = "coder.owner"
|
||||
|
|
|
@ -43,6 +43,47 @@ if ! chmod +x $BINARY_NAME; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
haslibcap2() {
|
||||
command -v setcap /dev/null 2>&1
|
||||
command -v capsh /dev/null 2>&1
|
||||
}
|
||||
printnetadminmissing() {
|
||||
echo "The root user does not have CAP_NET_ADMIN permission. " + \
|
||||
"If running in Docker, add the capability to the container for " + \
|
||||
"improved network performance."
|
||||
echo "This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html"
|
||||
}
|
||||
|
||||
# Attempt to add CAP_NET_ADMIN to the agent binary. This allows us to increase
|
||||
# network buffers which improves network transfer speeds.
|
||||
if [ -n "${USE_CAP_NET_ADMIN:-}" ]; then
|
||||
# If running as root, we do not need to do anything.
|
||||
if [ "$(id -u)" -eq 0 ]; then
|
||||
echo "Running as root, skipping setcap"
|
||||
# Warn the user if root does not have CAP_NET_ADMIN.
|
||||
if ! capsh --has-p=CAP_NET_ADMIN; then
|
||||
printnetadminmissing
|
||||
fi
|
||||
|
||||
# If not running as root, make sure we have sudo perms and the "setcap" +
|
||||
# "capsh" binaries exist.
|
||||
elif sudo -nl && haslibcap2; then
|
||||
# Make sure the root user has CAP_NET_ADMIN.
|
||||
if sudo -n capsh --has-p=CAP_NET_ADMIN; then
|
||||
sudo -n setcap CAP_NET_ADMIN=+ep ./$BINARY_NAME || true
|
||||
else
|
||||
printnetadminmissing
|
||||
fi
|
||||
|
||||
# If we are not running as root, cant sudo, and "setcap" does not exist, we
|
||||
# cannot do anything.
|
||||
else
|
||||
echo "Unable to setcap agent binary. To enable improved network performance, " + \
|
||||
"give the agent passwordless sudo permissions and the \"setcap\" + \"capsh\" binaries."
|
||||
echo "This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html"
|
||||
fi
|
||||
fi
|
||||
|
||||
export CODER_AGENT_AUTH="${AUTH_TYPE}"
|
||||
export CODER_AGENT_URL="${ACCESS_URL}"
|
||||
exec ./$BINARY_NAME agent
|
||||
|
|
Loading…
Reference in New Issue