Replace service "Capabilities" w/ add/drop API

After dicussing with maintainers, it was decided putting the burden of
providing the full cap list on the client is not a good design.
Instead we decided to follow along with the container API and use cap
add/drop.

This brings in the changes already merged into swarmkit.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

3 files changed, 13 insertions, 137 deletions

diff --git a/integration/container/create_test.go b/integration/container/create_test.go
index 0d7b75465b..801f902772 100644
--- a/integration/container/create_test.go
+++ b/integration/container/create_test.go
@@ -17,7 +17,6 @@ import (
 	"github.com/docker/docker/errdefs"
 	ctr "github.com/docker/docker/integration/internal/container"
 	"github.com/docker/docker/oci"
-	"github.com/docker/docker/testutil/request"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -258,133 +257,6 @@ func TestCreateWithCustomMaskedPaths(t *testing.T) {
 	}
 }
 
-func TestCreateWithCapabilities(t *testing.T) {
-	skip.If(t, testEnv.DaemonInfo.OSType == "windows", "FIXME: test should be able to run on LCOW")
-	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.40"), "Capabilities was added in API v1.40")
-
-	defer setupTest(t)()
-	ctx := context.Background()
-	clientNew := request.NewAPIClient(t)
-	clientOld := request.NewAPIClient(t, client.WithVersion("1.39"))
-
-	testCases := []struct {
-		doc           string
-		hostConfig    container.HostConfig
-		expected      []string
-		expectedError string
-		oldClient     bool
-	}{
-		{
-			doc:        "no capabilities",
-			hostConfig: container.HostConfig{},
-		},
-		{
-			doc: "empty capabilities",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{},
-			},
-			expected: []string{},
-		},
-		{
-			doc: "valid capabilities",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"},
-			},
-			expected: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"},
-		},
-		{
-			doc: "invalid capabilities",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"NET_RAW"},
-			},
-			expectedError: `invalid Capabilities: unknown capability: "NET_RAW"`,
-		},
-		{
-			doc: "duplicate capabilities",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_SYS_NICE", "CAP_SYS_NICE"},
-			},
-			expected: []string{"CAP_SYS_NICE", "CAP_SYS_NICE"},
-		},
-		{
-			doc: "capabilities API v1.39",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"},
-			},
-			expected:  nil,
-			oldClient: true,
-		},
-		{
-			doc: "empty capadd",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_ADMIN"},
-				CapAdd:       []string{},
-			},
-			expected: []string{"CAP_NET_ADMIN"},
-		},
-		{
-			doc: "empty capdrop",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_ADMIN"},
-				CapDrop:      []string{},
-			},
-			expected: []string{"CAP_NET_ADMIN"},
-		},
-		{
-			doc: "capadd capdrop",
-			hostConfig: container.HostConfig{
-				CapAdd:  []string{"SYS_NICE", "CAP_SYS_NICE"},
-				CapDrop: []string{"SYS_NICE", "CAP_SYS_NICE"},
-			},
-		},
-		{
-			doc: "conflict with capadd",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_ADMIN"},
-				CapAdd:       []string{"SYS_NICE"},
-			},
-			expectedError: `conflicting options: Capabilities and CapAdd`,
-		},
-		{
-			doc: "conflict with capdrop",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_ADMIN"},
-				CapDrop:      []string{"NET_RAW"},
-			},
-			expectedError: `conflicting options: Capabilities and CapDrop`,
-		},
-	}
-
-	for _, tc := range testCases {
-		tc := tc
-		t.Run(tc.doc, func(t *testing.T) {
-			t.Parallel()
-			client := clientNew
-			if tc.oldClient {
-				client = clientOld
-			}
-
-			c, err := client.ContainerCreate(context.Background(),
-				&container.Config{Image: "busybox"},
-				&tc.hostConfig,
-				&network.NetworkingConfig{},
-				nil,
-				"",
-			)
-			if tc.expectedError == "" {
-				assert.NilError(t, err)
-				ci, err := client.ContainerInspect(ctx, c.ID)
-				assert.NilError(t, err)
-				assert.Check(t, ci.HostConfig != nil)
-				assert.DeepEqual(t, tc.expected, ci.HostConfig.Capabilities)
-			} else {
-				assert.ErrorContains(t, err, tc.expectedError)
-				assert.Check(t, errdefs.IsInvalidParameter(err))
-			}
-		})
-	}
-}
-
 func TestCreateWithCustomReadonlyPaths(t *testing.T) {
 	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
 
diff --git a/integration/internal/swarm/service.go b/integration/internal/swarm/service.go
index 5e9bb416ef..19ebff0e9a 100644
--- a/integration/internal/swarm/service.go
+++ b/integration/internal/swarm/service.go
@@ -189,10 +189,11 @@ func ServiceWithSysctls(sysctls map[string]string) ServiceSpecOpt {
 }
 
 // ServiceWithCapabilities sets the Capabilities option of the service's ContainerSpec.
-func ServiceWithCapabilities(Capabilities []string) ServiceSpecOpt {
+func ServiceWithCapabilities(add []string, drop []string) ServiceSpecOpt {
 	return func(spec *swarmtypes.ServiceSpec) {
 		ensureContainerSpec(spec)
-		spec.TaskTemplate.ContainerSpec.Capabilities = Capabilities
+		spec.TaskTemplate.ContainerSpec.CapabilityAdd = add
+		spec.TaskTemplate.ContainerSpec.CapabilityDrop = drop
 	}
 }
 
diff --git a/integration/service/create_test.go b/integration/service/create_test.go
index 5f3828edc6..9a7d5c0c14 100644
--- a/integration/service/create_test.go
+++ b/integration/service/create_test.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/strslice"
 	swarmtypes "github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/client"
@@ -492,12 +493,13 @@ func TestCreateServiceCapabilities(t *testing.T) {
 	ctx := context.Background()
 
 	// store the map we're going to be using everywhere.
-	expectedCapabilities := []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"}
+	capAdd := []string{"CAP_SYS_CHROOT"}
+	capDrop := []string{"CAP_NET_RAW"}
 
 	// Create the service with the capabilities options
 	var instances uint64 = 1
 	serviceID := swarm.CreateService(t, d,
-		swarm.ServiceWithCapabilities(expectedCapabilities),
+		swarm.ServiceWithCapabilities(capAdd, capDrop),
 	)
 
 	// wait for the service to converge to 1 running task as expected
@@ -529,15 +531,16 @@ func TestCreateServiceCapabilities(t *testing.T) {
 	// verify that the container has the capabilities option set
 	ctnr, err := client.ContainerInspect(ctx, tasks[0].Status.ContainerStatus.ContainerID)
 	assert.NilError(t, err)
-	assert.DeepEqual(t, ctnr.HostConfig.Capabilities, expectedCapabilities)
+	assert.DeepEqual(t, ctnr.HostConfig.CapAdd, strslice.StrSlice(capAdd))
+	assert.DeepEqual(t, ctnr.HostConfig.CapDrop, strslice.StrSlice(capDrop))
 
 	// verify that the task has the capabilities option set in the task object
-	assert.DeepEqual(t, tasks[0].Spec.ContainerSpec.Capabilities, expectedCapabilities)
+	assert.DeepEqual(t, tasks[0].Spec.ContainerSpec.CapabilityAdd, capAdd)
+	assert.DeepEqual(t, tasks[0].Spec.ContainerSpec.CapabilityDrop, capDrop)
 
 	// verify that the service also has the capabilities set in the spec.
 	service, _, err := client.ServiceInspectWithRaw(ctx, serviceID, types.ServiceInspectOptions{})
 	assert.NilError(t, err)
-	assert.DeepEqual(t,
-		service.Spec.TaskTemplate.ContainerSpec.Capabilities, expectedCapabilities,
-	)
+	assert.DeepEqual(t, service.Spec.TaskTemplate.ContainerSpec.CapabilityAdd, capAdd)
+	assert.DeepEqual(t, service.Spec.TaskTemplate.ContainerSpec.CapabilityDrop, capDrop)
 }