feat: modify agent install script to give CAP_NET_ADMIN if available

coadler · coadler · commit 234027dddfd7 · 2023-09-29T01:22:02.000Z
diff --git a/dogfood/main.tf b/dogfood/main.tf
@@ -342,6 +342,9 @@ resource "docker_container" "workspace" {
     volume_name    = docker_volume.home_volume.name
     read_only      = false
   }
+  capabilities {
+    add = ["CAP_NET_ADMIN"]
+  }
   # Add labels in Docker to keep track of orphan resources.
   labels {
     label = "coder.owner"
diff --git a/examples/templates/docker/build/Dockerfile b/examples/templates/docker/build/Dockerfile
@@ -8,6 +8,7 @@ RUN apt-get update \
 	sudo \
 	vim \
 	wget \
+	libcap2-bin \
 	&& rm -rf /var/lib/apt/lists/*
 
 ARG USER=coder
diff --git a/examples/templates/docker/main.tf b/examples/templates/docker/main.tf
@@ -187,6 +187,9 @@ resource "docker_container" "workspace" {
     volume_name    = docker_volume.home_volume.name
     read_only      = false
   }
+  capabilities {
+    add = ["CAP_NET_ADMIN"]
+  }
   # Add labels in Docker to keep track of orphan resources.
   labels {
     label = "coder.owner"
diff --git a/provisionersdk/scripts/bootstrap_linux.sh b/provisionersdk/scripts/bootstrap_linux.sh
@@ -43,6 +43,43 @@ if ! chmod +x $BINARY_NAME; then
 	exit 1
 fi
 
+haslibcap2() {
+	command -v setcap /dev/null 2>&1
+	command -v capsh /dev/null 2>&1
+}
+
+# Attempt to add CAP_NET_ADMIN to the agent binary. This allows us to increase
+# network buffers which improves network transfer speeds.
+if [ -n "${USE_CAP_NET_ADMIN}" ]; then
+	# If running as root, we don't need to do anything.
+	if [ "$(id -u)" -eq 0 ]; then
+		echo "Running as root, skipping setcap"
+		# Warn the user if root doesn't have CAP_NET_ADMIN.
+		if ! capsh --has-p=CAP_NET_ADMIN; then
+			echo "The root user doesn't have CAP_NET_ADMIN permission. " + \
+				"If running in Docker, add the capability to the container for " + \
+				"improved network performance."
+		fi
+
+	# If not running as root, make sure we have sudo perms and the 'setcap' binary
+	# exists.
+	elif sudo -nl && haslibcap2; then
+		# Make sure the root user has CAP_NET_ADMIN.
+		if sudo -n capsh --has-p=CAP_NET_ADMIN; then
+			sudo -n setcap CAP_NET_ADMIN=+ep ./$BINARY_NAME || true
+		else
+			echo "The root user doesn't have CAP_NET_ADMIN permission. " + \
+				"If running in Docker, add the capability to the container for " + \
+				"improved network performance."
+		fi
+
+	# If we're not running as root, can't sudo, and 'setcap' doesn't exist, we can't
+	# do anything.
+	else
+		echo "Unable to setcap agent binary. Missing passwordless sudo permissions or the 'setcap' binary."
+	fi
+fi
+
 export CODER_AGENT_AUTH="${AUTH_TYPE}"
 export CODER_AGENT_URL="${ACCESS_URL}"
 exec ./$BINARY_NAME agent
