From a24898b715112e57b9ac0fa8f1763ebda2dbdcf0 Mon Sep 17 00:00:00 2001 From: David Wittman Date: Tue, 7 Aug 2018 01:41:52 -0500 Subject: [PATCH] Add cap_drop to docker_container module (#36889) Closes #29578 --- .../modules/cloud/docker/docker_container.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/lib/ansible/modules/cloud/docker/docker_container.py b/lib/ansible/modules/cloud/docker/docker_container.py index e328687a20a..a61529d825e 100644 --- a/lib/ansible/modules/cloud/docker/docker_container.py +++ b/lib/ansible/modules/cloud/docker/docker_container.py @@ -37,6 +37,10 @@ options: capabilities: description: - List of capabilities to add to the container. + cap_drop: + description: + - List of capabilities to drop from the container. + version_added: "2.7" cleanup: description: - Use with I(detach=false) to remove the container after successful execution. @@ -561,6 +565,15 @@ EXAMPLES = ''' name: sleepy purge_networks: yes +- name: Create a container with limited capabilities + docker_container: + name: sleepy + image: ubuntu:16.04 + command: sleep infinity + capabilities: + - sys_time + cap_drop: + - all ''' RETURN = ''' @@ -650,6 +663,7 @@ class TaskParameters(DockerBaseClass): self.auto_remove = None self.blkio_weight = None self.capabilities = None + self.cap_drop = None self.cleanup = None self.command = None self.cpu_period = None @@ -905,6 +919,7 @@ class TaskParameters(DockerBaseClass): network_mode='network_mode', userns_mode='userns_mode', cap_add='capabilities', + cap_drop='cap_drop', extra_hosts='etc_hosts', read_only='read_only', ipc_mode='ipc_mode', @@ -2039,6 +2054,7 @@ def main(): auto_remove=dict(type='bool', default=False), blkio_weight=dict(type='int'), capabilities=dict(type='list'), + cap_drop=dict(type='list'), cleanup=dict(type='bool', default=False), command=dict(type='raw'), cpu_period=dict(type='int'),