From b80061c423f8492b36cd8ac47970af504e235ae8 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Thu, 4 Aug 2022 14:00:17 +0200
Subject: [PATCH] Update to 2022-08-04 14:00

---
 roles/nomad/defaults/main.yml      | 2 ++
 roles/nomad/templates/nomad.hcl.j2 | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml
index 758cde5..1ffcd4b 100644
--- a/roles/nomad/defaults/main.yml
+++ b/roles/nomad/defaults/main.yml
@@ -76,6 +76,8 @@ nomad_base_conf:
       docker:
         enabled: True
         allow_privileged: True
+        # You can set a list of caps allowed for containers, eg
+        # allow_caps: ["audit_write", "chown", "dac_override", "fowner", "fsetid", "kill", "mknod", "net_bind_service", "setfcap", "setgid", "setpcap", "setuid", "sys_chroot"]
       raw_exec:
         enabled: False
       java:
diff --git a/roles/nomad/templates/nomad.hcl.j2 b/roles/nomad/templates/nomad.hcl.j2
index 4db3eee..57ca1ed 100644
--- a/roles/nomad/templates/nomad.hcl.j2
+++ b/roles/nomad/templates/nomad.hcl.j2
@@ -86,6 +86,13 @@ client {
 plugin "docker" {
   config {
     allow_privileged = {{ nomad_conf.client.task_drivers.docker.allow_privileged | ternary('true', 'false') }}
+{% if nomad_conf.client.task_drivers.docker.allow_caps is defined %}
+    allow_caps = [
+{% for cap in nomad_conf.client.task_drivers.docker.allow_caps %}
+      "{{ cap }}",
+{% endfor %}
+    ]
+{% endif %}
   }
 }
 {% endif %}