feat: modify agent install script to give CAP_NET_ADMIN if available

coadler · coadler · commit abbea038170a · 2023-09-29T17:07:46.000Z
diff --git a/dogfood/main.tf b/dogfood/main.tf
@@ -332,6 +332,7 @@ resource "docker_container" "workspace" {
   runtime = "sysbox-runc"
   env = [
     "CODER_AGENT_TOKEN=${coder_agent.dev.token}",
+    "USE_CAP_NET_ADMIN=true",
   ]
   host {
     host = "host.docker.internal"
@@ -342,6 +343,9 @@ resource "docker_container" "workspace" {
     volume_name    = docker_volume.home_volume.name
     read_only      = false
   }
+  capabilities {
+    add = ["CAP_NET_ADMIN", "CAP_SYS_NICE"]
+  }
   # Add labels in Docker to keep track of orphan resources.
   labels {
     label = "coder.owner"
diff --git a/examples/templates/docker/build/Dockerfile b/examples/templates/docker/build/Dockerfile
@@ -8,6 +8,7 @@ RUN apt-get update \
 	sudo \
 	vim \
 	wget \
+	libcap2-bin \
 	&& rm -rf /var/lib/apt/lists/*
 
 ARG USER=coder
diff --git a/examples/templates/docker/main.tf b/examples/templates/docker/main.tf
@@ -187,6 +187,12 @@ resource "docker_container" "workspace" {
     volume_name    = docker_volume.home_volume.name
     read_only      = false
   }
+  # Uncomment this to allow higher network speeds. Be aware this has security implications.
+  # See: https://man7.org/linux/man-pages/man7/capabilities.7.html
+  # capabilities {
+  #   add = ["CAP_NET_ADMIN"]
+  # }
+
   # Add labels in Docker to keep track of orphan resources.
   labels {
     label = "coder.owner"
diff --git a/provisionersdk/scripts/bootstrap_linux.sh b/provisionersdk/scripts/bootstrap_linux.sh
@@ -43,6 +43,47 @@ if ! chmod +x $BINARY_NAME; then
 	exit 1
 fi
 
+haslibcap2() {
+	command -v setcap /dev/null 2>&1
+	command -v capsh /dev/null 2>&1
+}
+printnetadminmissing() {
+	echo "The root user does not have CAP_NET_ADMIN permission. " + \
+		"If running in Docker, add the capability to the container for " + \
+		"improved network performance."
+	echo "This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html"
+}
+
+# Attempt to add CAP_NET_ADMIN to the agent binary. This allows us to increase
+# network buffers which improves network transfer speeds.
+if [ -n "${USE_CAP_NET_ADMIN:-}" ]; then
+	# If running as root, we do not need to do anything.
+	if [ "$(id -u)" -eq 0 ]; then
+		echo "Running as root, skipping setcap"
+		# Warn the user if root does not have CAP_NET_ADMIN.
+		if ! capsh --has-p=CAP_NET_ADMIN; then
+			printnetadminmissing
+		fi
+
+	# If not running as root, make sure we have sudo perms and the "setcap" +
+	# "capsh" binaries exist.
+	elif sudo -nl && haslibcap2; then
+		# Make sure the root user has CAP_NET_ADMIN.
+		if sudo -n capsh --has-p=CAP_NET_ADMIN; then
+			sudo -n setcap CAP_NET_ADMIN=+ep ./$BINARY_NAME || true
+		else
+			printnetadminmissing
+		fi
+
+	# If we are not running as root, cant sudo, and "setcap" does not exist, we
+	# cannot do anything.
+	else
+		echo "Unable to setcap agent binary. To enable improved network performance, " + \
+			"give the agent passwordless sudo permissions and the \"setcap\" + \"capsh\" binaries."
+		echo "This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html"
+	fi
+fi
+
 export CODER_AGENT_AUTH="${AUTH_TYPE}"
 export CODER_AGENT_URL="${ACCESS_URL}"
 exec ./$BINARY_NAME agent
