From d657cac258f3ca5f10aad3edce88edebff62e768 Mon Sep 17 00:00:00 2001
From: Colin Adler <colin1adler@gmail.com>
Date: Thu, 28 Sep 2023 17:28:36 +0000
Subject: [PATCH] feat: modify agent install script to give `CAP_NET_ADMIN` if
 available

---
 dogfood/main.tf                           |  4 +++
 examples/templates/docker/main.tf         |  1 +
 provisionersdk/scripts/bootstrap_linux.sh | 41 +++++++++++++++++++++++
 3 files changed, 46 insertions(+)
 mode change 100644 => 100755 provisionersdk/scripts/bootstrap_linux.sh

diff --git a/dogfood/main.tf b/dogfood/main.tf
index b0db524fd9958..94549ba11b64f 100644
--- a/dogfood/main.tf
+++ b/dogfood/main.tf
@@ -272,6 +272,7 @@ resource "docker_container" "workspace" {
   runtime = "sysbox-runc"
   env = [
     "CODER_AGENT_TOKEN=${coder_agent.dev.token}",
+    "USE_CAP_NET_ADMIN=true",
   ]
   host {
     host = "host.docker.internal"
@@ -282,6 +283,9 @@ resource "docker_container" "workspace" {
     volume_name    = docker_volume.home_volume.name
     read_only      = false
   }
+  capabilities {
+    add = ["CAP_NET_ADMIN", "CAP_SYS_NICE"]
+  }
   # Add labels in Docker to keep track of orphan resources.
   labels {
     label = "coder.owner"
diff --git a/examples/templates/docker/main.tf b/examples/templates/docker/main.tf
index b4ec8c405707f..48a5478fcdec2 100644
--- a/examples/templates/docker/main.tf
+++ b/examples/templates/docker/main.tf
@@ -187,6 +187,7 @@ resource "docker_container" "workspace" {
     volume_name    = docker_volume.home_volume.name
     read_only      = false
   }
+
   # Add labels in Docker to keep track of orphan resources.
   labels {
     label = "coder.owner"
diff --git a/provisionersdk/scripts/bootstrap_linux.sh b/provisionersdk/scripts/bootstrap_linux.sh
old mode 100644
new mode 100755
index abd91d163d0e0..faf4b4a9bbfac
--- a/provisionersdk/scripts/bootstrap_linux.sh
+++ b/provisionersdk/scripts/bootstrap_linux.sh
@@ -43,6 +43,47 @@ if ! chmod +x $BINARY_NAME; then
 	exit 1
 fi
 
+haslibcap2() {
+	command -v setcap /dev/null 2>&1
+	command -v capsh /dev/null 2>&1
+}
+printnetadminmissing() {
+	echo "The root user does not have CAP_NET_ADMIN permission. " + \
+		"If running in Docker, add the capability to the container for " + \
+		"improved network performance."
+	echo "This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html"
+}
+
+# Attempt to add CAP_NET_ADMIN to the agent binary. This allows us to increase
+# network buffers which improves network transfer speeds.
+if [ -n "${USE_CAP_NET_ADMIN:-}" ]; then
+	# If running as root, we do not need to do anything.
+	if [ "$(id -u)" -eq 0 ]; then
+		echo "Running as root, skipping setcap"
+		# Warn the user if root does not have CAP_NET_ADMIN.
+		if ! capsh --has-p=CAP_NET_ADMIN; then
+			printnetadminmissing
+		fi
+
+	# If not running as root, make sure we have sudo perms and the "setcap" +
+	# "capsh" binaries exist.
+	elif sudo -nl && haslibcap2; then
+		# Make sure the root user has CAP_NET_ADMIN.
+		if sudo -n capsh --has-p=CAP_NET_ADMIN; then
+			sudo -n setcap CAP_NET_ADMIN=+ep ./$BINARY_NAME || true
+		else
+			printnetadminmissing
+		fi
+
+	# If we are not running as root, cant sudo, and "setcap" does not exist, we
+	# cannot do anything.
+	else
+		echo "Unable to setcap agent binary. To enable improved network performance, " + \
+			"give the agent passwordless sudo permissions and the \"setcap\" + \"capsh\" binaries."
+		echo "This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html"
+	fi
+fi
+
 export CODER_AGENT_AUTH="${AUTH_TYPE}"
 export CODER_AGENT_URL="${ACCESS_URL}"
 exec ./$BINARY_NAME agent