feat: modify agent install script to give `CAP_NET_ADMIN` if available (#9908)

dogfood/main.tf

@@ -272,6 +272,7 @@ resource "docker_container" "workspace" {
   runtime = "sysbox-runc"
   env = [
     "CODER_AGENT_TOKEN=${coder_agent.dev.token}",
+    "USE_CAP_NET_ADMIN=true",
   ]
   host {
     host = "host.docker.internal"
@@ -282,6 +283,9 @@ resource "docker_container" "workspace" {
     volume_name    = docker_volume.home_volume.name
     read_only      = false
   }
+  capabilities {
+    add = ["CAP_NET_ADMIN", "CAP_SYS_NICE"]
+  }
   # Add labels in Docker to keep track of orphan resources.
   labels {
     label = "coder.owner"

examples/templates/docker/main.tf

@@ -187,6 +187,7 @@ resource "docker_container" "workspace" {
     volume_name    = docker_volume.home_volume.name
     read_only      = false
   }
+
   # Add labels in Docker to keep track of orphan resources.
   labels {
     label = "coder.owner"

provisionersdk/scripts/bootstrap_linux.sh

@@ -43,6 +43,47 @@ if ! chmod +x $BINARY_NAME; then
 	exit 1
 fi
 
+haslibcap2() {
+	command -v setcap /dev/null 2>&1
+	command -v capsh /dev/null 2>&1
+}
+printnetadminmissing() {
+	echo "The root user does not have CAP_NET_ADMIN permission. " + \
+		"If running in Docker, add the capability to the container for " + \
+		"improved network performance."
+	echo "This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html"
+}
+
+# Attempt to add CAP_NET_ADMIN to the agent binary. This allows us to increase
+# network buffers which improves network transfer speeds.
+if [ -n "${USE_CAP_NET_ADMIN:-}" ]; then
+	# If running as root, we do not need to do anything.
+	if [ "$(id -u)" -eq 0 ]; then
+		echo "Running as root, skipping setcap"
+		# Warn the user if root does not have CAP_NET_ADMIN.
+		if ! capsh --has-p=CAP_NET_ADMIN; then
+			printnetadminmissing
+		fi
+
+	# If not running as root, make sure we have sudo perms and the "setcap" +
+	# "capsh" binaries exist.
+	elif sudo -nl && haslibcap2; then
+		# Make sure the root user has CAP_NET_ADMIN.
+		if sudo -n capsh --has-p=CAP_NET_ADMIN; then
+			sudo -n setcap CAP_NET_ADMIN=+ep ./$BINARY_NAME || true
+		else
+			printnetadminmissing
+		fi
+
+	# If we are not running as root, cant sudo, and "setcap" does not exist, we
+	# cannot do anything.
+	else
+		echo "Unable to setcap agent binary. To enable improved network performance, " + \
+			"give the agent passwordless sudo permissions and the \"setcap\" + \"capsh\" binaries."
+		echo "This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html"
+	fi
+fi
+
 export CODER_AGENT_AUTH="${AUTH_TYPE}"
 export CODER_AGENT_URL="${ACCESS_URL}"
 exec ./$BINARY_NAME agent