Add support for privileged mode

agent/exec/dockerapi/container.go

@@ -212,6 +212,7 @@ func (c *containerConfig) hostConfig() *enginecontainer.HostConfig {
 		Isolation:    c.isolation(),
 		CapAdd:       c.spec().CapabilityAdd,
 		CapDrop:      c.spec().CapabilityDrop,
+		Privileged:   c.spec().Privileged,
 	}
 
 	// The format of extra hosts on swarmkit is specified in:

agent/exec/dockerapi/container_test.go

@@ -299,6 +299,26 @@ func TestCapabilityDrop(t *testing.T) {
 	}
 }
 
+func TestPrivileged(t *testing.T) {
+	c := containerConfig{
+		task: &api.Task{
+			Spec: api.TaskSpec{
+				Runtime: &api.TaskSpec_Container{
+					Container: &api.ContainerSpec{
+						Privileged: true,
+					},
+				},
+			},
+		},
+	}
+
+	expected := true
+	actual := c.hostConfig().Privileged
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("expected %v, got %v", expected, actual)
+	}
+}
+
 func TestUlimits(t *testing.T) {
 	c := containerConfig{
 		task: &api.Task{

api/api.pb.txt

@@ -2735,8 +2735,8 @@ file {
         label: LABEL_OPTIONAL
         type: TYPE_UINT32
         options {
-          65001: 0
           65003: "os.FileMode"
+          65001: 0
         }
         json_name: "mode"
       }
@@ -2904,8 +2904,8 @@ file {
       type: TYPE_MESSAGE
       type_name: ".google.protobuf.Duration"
       options {
-        65001: 0
         65011: 1
+        65001: 0
       }
       json_name: "delay"
     }
@@ -3348,8 +3348,8 @@ file {
         }
       }
       options {
-        62001: 0
         62023: "PublishMode"
+        62001: 0
       }
     }
   }
@@ -4055,8 +4055,8 @@ file {
       label: LABEL_OPTIONAL
       type: TYPE_UINT32
       options {
-        65001: 0
         65003: "os.FileMode"
+        65001: 0
       }
       json_name: "mode"
     }
@@ -5052,8 +5052,8 @@ file {
       }
     }
     options {
-      62001: 0
       62023: "NodeRole"
+      62001: 0
     }
   }
   syntax: "proto3"
@@ -5677,6 +5677,13 @@ file {
       type_name: ".docker.swarmkit.v1.ContainerSpec.Ulimit"
       json_name: "ulimits"
     }
+    field {
+      name: "privileged"
+      number: 30
+      label: LABEL_OPTIONAL
+      type: TYPE_BOOL
+      json_name: "privileged"
+    }
     nested_type {
       name: "LabelsEntry"
       field {
@@ -9739,8 +9746,8 @@ file {
       type: TYPE_MESSAGE
       type_name: ".google.protobuf.Duration"
       options {
-        65001: 0
         65011: 1
+        65001: 0
       }
       json_name: "period"
     }
@@ -10958,14 +10965,14 @@ file {
     }
   }
   options {
-    63001: 0
-    63002: 0
     63017: 1
-    63018: 1
     63020: 1
+    63018: 1
+    63001: 0
+    63002: 0
+    63035: 0
     63026: 0
     63034: 0
-    63035: 0
   }
 }
 file {

api/specs.proto

@@ -370,6 +370,9 @@ message ContainerSpec {
 	// Ulimits defines the list of ulimits to set in the container. This option
 	// is equivalent to passing --ulimit to docker run.
 	repeated Ulimit ulimits = 29;
+
+	// Privileged give extended privileges to the container
+	bool privileged = 30;
 }
 
 // EndpointSpec defines the properties that can be configured to

cmd/swarmctl/service/flagparser/container.go

@@ -76,5 +76,13 @@ func parseContainer(flags *pflag.FlagSet, spec *api.ServiceSpec) error {
 		}
 	}
 
+	if flags.Changed("privileged") {
+		privileged, err := flags.GetBool("privileged")
+		if err != nil {
+			return err
+		}
+		spec.Task.GetContainer().Privileged = privileged
+	}
+
 	return nil
 }

cmd/swarmctl/service/flagparser/flags.go

@@ -25,6 +25,7 @@ func AddServiceFlags(flags *pflag.FlagSet) {
 	flags.StringSlice("env", nil, "container env")
 	flags.Bool("tty", false, "open a tty on standard streams")
 	flags.Bool("open-stdin", false, "open standard input")
+	flags.Bool("privileged", false, "give extended privileges to container (default false)")
 
 	flags.StringSlice("ports", nil, "ports")
 	flags.String("network", "", "network name")