Merge pull request #41249 from cpuguy83/swarm_caps

Replace swarm Capabilites API with cap add/drop API

api/server/router/container/container_routes.go

@@ -489,9 +489,6 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		// Ignore KernelMemoryTCP because it was added in API 1.40.
 		hostConfig.KernelMemoryTCP = 0
 
-		// Ignore Capabilities because it was added in API 1.40.
-		hostConfig.Capabilities = nil
-
 		// Older clients (API < 1.40) expects the default to be shareable, make them happy
 		if hostConfig.IpcMode.IsEmpty() {
 			hostConfig.IpcMode = container.IpcMode("shareable")

api/server/router/swarm/helpers.go

@@ -99,7 +99,8 @@ func adjustForAPIVersion(cliVersion string, service *swarm.ServiceSpec) {
 		if service.TaskTemplate.ContainerSpec != nil {
 			// Capabilities for docker swarm services weren't
 			// supported before API version 1.41
-			service.TaskTemplate.ContainerSpec.Capabilities = nil
+			service.TaskTemplate.ContainerSpec.CapabilityAdd = nil
+			service.TaskTemplate.ContainerSpec.CapabilityDrop = nil
 		}
 		if service.TaskTemplate.Resources != nil && service.TaskTemplate.Resources.Limits != nil {
 			// Limits.Pids  not supported before API version 1.41

api/swagger.yaml

@@ -906,15 +906,6 @@ definitions:
               $ref: "#/definitions/Mount"
 
           # Applicable to UNIX platforms
-          Capabilities:
-            type: "array"
-            description: |
-              A list of kernel capabilities to be available for container (this
-              overrides the default set).
-
-              Conflicts with options 'CapAdd' and 'CapDrop'"
-            items:
-              type: "string"
           CapAdd:
             type: "array"
             description: |
@@ -3288,11 +3279,11 @@ definitions:
             additionalProperties:
               type: "string"
           # This option is not used by Windows containers
-          Capabilities:
+          CapabilityAdd:
             type: "array"
             description: |
-              A list of kernel capabilities to be available for container (this
-              overrides the default set).
+              A list of kernel capabilities to add to the default set
+              for the container.
             items:
               type: "string"
             example:
@@ -3300,6 +3291,15 @@ definitions:
               - "CAP_SYS_ADMIN"
               - "CAP_SYS_CHROOT"
               - "CAP_SYSLOG"
+          CapabilityDrop:
+            type: "array"
+            description: |
+              A list of kernel capabilities to drop from the default set
+              for the container.
+            items:
+              type: "string"
+            example:
+              - "CAP_NET_RAW"
       NetworkAttachmentSpec:
         description: |
           Read-only spec type for non-swarm containers attached to swarm overlay

api/types/container/host_config.go

@@ -403,7 +403,6 @@ type HostConfig struct {
 	// Applicable to UNIX platforms
 	CapAdd          strslice.StrSlice // List of kernel capabilities to add to the container
 	CapDrop         strslice.StrSlice // List of kernel capabilities to remove from the container
-	Capabilities    []string          `json:"Capabilities"` // List of kernel capabilities to be available for container (this overrides the default set)
 	CgroupnsMode    CgroupnsMode      // Cgroup namespace mode to use for the container
 	DNS             []string          `json:"Dns"`        // List of DNS server to lookup
 	DNSOptions      []string          `json:"DnsOptions"` // List of DNSOption to look for

api/types/swarm/container.go

@@ -67,11 +67,12 @@ type ContainerSpec struct {
 	// The format of extra hosts on swarmkit is specified in:
 	// http://man7.org/linux/man-pages/man5/hosts.5.html
 	//    IP_address canonical_hostname [aliases...]
-	Hosts        []string            `json:",omitempty"`
-	DNSConfig    *DNSConfig          `json:",omitempty"`
-	Secrets      []*SecretReference  `json:",omitempty"`
-	Configs      []*ConfigReference  `json:",omitempty"`
-	Isolation    container.Isolation `json:",omitempty"`
-	Sysctls      map[string]string   `json:",omitempty"`
-	Capabilities []string            `json:",omitempty"`
+	Hosts          []string            `json:",omitempty"`
+	DNSConfig      *DNSConfig          `json:",omitempty"`
+	Secrets        []*SecretReference  `json:",omitempty"`
+	Configs        []*ConfigReference  `json:",omitempty"`
+	Isolation      container.Isolation `json:",omitempty"`
+	Sysctls        map[string]string   `json:",omitempty"`
+	CapabilityAdd  []string            `json:",omitempty"`
+	CapabilityDrop []string            `json:",omitempty"`
 }

daemon/cluster/convert/container.go

@@ -18,26 +18,27 @@ func containerSpecFromGRPC(c *swarmapi.ContainerSpec) *types.ContainerSpec {
 		return nil
 	}
 	containerSpec := &types.ContainerSpec{
-		Image:        c.Image,
-		Labels:       c.Labels,
-		Command:      c.Command,
-		Args:         c.Args,
-		Hostname:     c.Hostname,
-		Env:          c.Env,
-		Dir:          c.Dir,
-		User:         c.User,
-		Groups:       c.Groups,
-		StopSignal:   c.StopSignal,
-		TTY:          c.TTY,
-		OpenStdin:    c.OpenStdin,
-		ReadOnly:     c.ReadOnly,
-		Hosts:        c.Hosts,
-		Secrets:      secretReferencesFromGRPC(c.Secrets),
-		Configs:      configReferencesFromGRPC(c.Configs),
-		Isolation:    IsolationFromGRPC(c.Isolation),
-		Init:         initFromGRPC(c.Init),
-		Sysctls:      c.Sysctls,
-		Capabilities: c.Capabilities,
+		Image:          c.Image,
+		Labels:         c.Labels,
+		Command:        c.Command,
+		Args:           c.Args,
+		Hostname:       c.Hostname,
+		Env:            c.Env,
+		Dir:            c.Dir,
+		User:           c.User,
+		Groups:         c.Groups,
+		StopSignal:     c.StopSignal,
+		TTY:            c.TTY,
+		OpenStdin:      c.OpenStdin,
+		ReadOnly:       c.ReadOnly,
+		Hosts:          c.Hosts,
+		Secrets:        secretReferencesFromGRPC(c.Secrets),
+		Configs:        configReferencesFromGRPC(c.Configs),
+		Isolation:      IsolationFromGRPC(c.Isolation),
+		Init:           initFromGRPC(c.Init),
+		Sysctls:        c.Sysctls,
+		CapabilityAdd:  c.CapabilityAdd,
+		CapabilityDrop: c.CapabilityDrop,
 	}
 
 	if c.DNSConfig != nil {
@@ -246,25 +247,26 @@ func configReferencesFromGRPC(sr []*swarmapi.ConfigReference) []*types.ConfigRef
 
 func containerToGRPC(c *types.ContainerSpec) (*swarmapi.ContainerSpec, error) {
 	containerSpec := &swarmapi.ContainerSpec{
-		Image:        c.Image,
-		Labels:       c.Labels,
-		Command:      c.Command,
-		Args:         c.Args,
-		Hostname:     c.Hostname,
-		Env:          c.Env,
-		Dir:          c.Dir,
-		User:         c.User,
-		Groups:       c.Groups,
-		StopSignal:   c.StopSignal,
-		TTY:          c.TTY,
-		OpenStdin:    c.OpenStdin,
-		ReadOnly:     c.ReadOnly,
-		Hosts:        c.Hosts,
-		Secrets:      secretReferencesToGRPC(c.Secrets),
-		Isolation:    isolationToGRPC(c.Isolation),
-		Init:         initToGRPC(c.Init),
-		Sysctls:      c.Sysctls,
-		Capabilities: c.Capabilities,
+		Image:          c.Image,
+		Labels:         c.Labels,
+		Command:        c.Command,
+		Args:           c.Args,
+		Hostname:       c.Hostname,
+		Env:            c.Env,
+		Dir:            c.Dir,
+		User:           c.User,
+		Groups:         c.Groups,
+		StopSignal:     c.StopSignal,
+		TTY:            c.TTY,
+		OpenStdin:      c.OpenStdin,
+		ReadOnly:       c.ReadOnly,
+		Hosts:          c.Hosts,
+		Secrets:        secretReferencesToGRPC(c.Secrets),
+		Isolation:      isolationToGRPC(c.Isolation),
+		Init:           initToGRPC(c.Init),
+		Sysctls:        c.Sysctls,
+		CapabilityAdd:  c.CapabilityAdd,
+		CapabilityDrop: c.CapabilityDrop,
 	}
 
 	if c.DNSConfig != nil {

daemon/cluster/executor/container/container.go

@@ -360,7 +360,8 @@ func (c *containerConfig) hostConfig() *enginecontainer.HostConfig {
 		Isolation:      c.isolation(),
 		Init:           c.init(),
 		Sysctls:        c.spec().Sysctls,
-		Capabilities:   c.spec().Capabilities,
+		CapAdd:         c.spec().CapabilityAdd,
+		CapDrop:        c.spec().CapabilityDrop,
 	}
 
 	if c.spec().DNSConfig != nil {

daemon/container.go

@@ -305,21 +305,12 @@ func validateHostConfig(hostConfig *containertypes.HostConfig, platform string)
 }
 
 func validateCapabilities(hostConfig *containertypes.HostConfig) error {
-	if len(hostConfig.CapAdd) > 0 && hostConfig.Capabilities != nil {
-		return errdefs.InvalidParameter(errors.Errorf("conflicting options: Capabilities and CapAdd"))
-	}
-	if len(hostConfig.CapDrop) > 0 && hostConfig.Capabilities != nil {
-		return errdefs.InvalidParameter(errors.Errorf("conflicting options: Capabilities and CapDrop"))
-	}
 	if _, err := caps.NormalizeLegacyCapabilities(hostConfig.CapAdd); err != nil {
 		return errors.Wrap(err, "invalid CapAdd")
 	}
 	if _, err := caps.NormalizeLegacyCapabilities(hostConfig.CapDrop); err != nil {
 		return errors.Wrap(err, "invalid CapDrop")
 	}
-	if err := caps.ValidateCapabilities(hostConfig.Capabilities); err != nil {
-		return errors.Wrap(err, "invalid Capabilities")
-	}
 	// TODO consider returning warnings if "Privileged" is combined with Capabilities, CapAdd and/or CapDrop
 	return nil
 }

daemon/oci_linux.go

@@ -162,7 +162,6 @@ func WithCapabilities(c *container.Container) coci.SpecOpts {
 			caps.DefaultCapabilities(),
 			c.HostConfig.CapAdd,
 			c.HostConfig.CapDrop,
-			c.HostConfig.Capabilities,
 			c.HostConfig.Privileged,
 		)
 		if err != nil {

daemon/oci_windows.go

@@ -390,7 +390,7 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe
 	// Note these are against the UVM.
 	setResourcesInSpec(c, s, true) // LCOW is Hyper-V only
 
-	capabilities, err := caps.TweakCapabilities(caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Capabilities, c.HostConfig.Privileged)
+	capabilities, err := caps.TweakCapabilities(caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged)
 	if err != nil {
 		return fmt.Errorf("linux spec capabilities: %v", err)
 	}

docs/api/version-history.md

@@ -28,12 +28,12 @@ keywords: "API, Docker, rcli, REST, documentation"
 * The `filter` (singular) query parameter, which was deprecated in favor of the
   `filters` option in Docker 1.13, has now been removed from the `GET /images/json`
   endpoint. The parameter remains available when using API version 1.40 or below.
-* `GET /services` now returns `Capabilities` as part of the `ContainerSpec`.
-* `GET /services/{id}` now returns `Capabilities` as part of the `ContainerSpec`.
-* `POST /services/create` now accepts `Capabilities` as part of the `ContainerSpec`.
-* `POST /services/{id}/update` now accepts `Capabilities` as part of the `ContainerSpec`.
-* `GET /tasks` now  returns `Capabilities` as part of the `ContainerSpec`.
-* `GET /tasks/{id}` now  returns `Capabilities` as part of the `ContainerSpec`.
+* `GET /services` now returns `CappAdd` and `CapDrop` as part of the `ContainerSpec`.
+* `GET /services/{id}` now returns `CapAdd` and `CapDrop` as part of the `ContainerSpec`.
+* `POST /services/create` now accepts `CapAdd` and `CapDrop` as part of the `ContainerSpec`.
+* `POST /services/{id}/update` now accepts `CapAdd` and `CapDrop` as part of the `ContainerSpec`.
+* `GET /tasks` now  returns `CapAdd` and `CapDrop` as part of the `ContainerSpec`.
+* `GET /tasks/{id}` now  returns `CapAdd` and `CapDrop` as part of the `ContainerSpec`.
 * `GET /services` now returns `Pids` in `TaskTemplate.Resources.Limits`.
 * `GET /services/{id}` now returns `Pids` in `TaskTemplate.Resources.Limits`.
 * `POST /services/create` now accepts `Pids` in `TaskTemplate.Resources.Limits`.
@@ -135,11 +135,6 @@ keywords: "API, Docker, rcli, REST, documentation"
 * `GET /service/{id}` now  returns `MaxReplicas` as part of the `Placement`.
 * `POST /service/create` and `POST /services/(id or name)/update` now take the field `MaxReplicas`
   as part of the service `Placement`, allowing to specify maximum replicas per node for the service.
-* `GET /containers` now returns `Capabilities` field as part of the `HostConfig`.
-* `GET /containers/{id}/json` now returns a `Capabilities` field as part of the `HostConfig`.
-* `POST /containers/create` now takes a `Capabilities` field to set the list of
-  kernel capabilities to be available for the container (this overrides the default
-  set).
 * `POST /containers/create` on Linux now creates a container with `HostConfig.IpcMode=private`
   by default, if IpcMode is not explicitly specified. The per-daemon default can be changed
   back to `shareable` by using `DefaultIpcMode` daemon configuration parameter.

integration/container/create_test.go

@@ -17,7 +17,6 @@ import (
 	"github.com/docker/docker/errdefs"
 	ctr "github.com/docker/docker/integration/internal/container"
 	"github.com/docker/docker/oci"
-	"github.com/docker/docker/testutil/request"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -258,133 +257,6 @@ func TestCreateWithCustomMaskedPaths(t *testing.T) {
 	}
 }
 
-func TestCreateWithCapabilities(t *testing.T) {
-	skip.If(t, testEnv.DaemonInfo.OSType == "windows", "FIXME: test should be able to run on LCOW")
-	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.40"), "Capabilities was added in API v1.40")
-
-	defer setupTest(t)()
-	ctx := context.Background()
-	clientNew := request.NewAPIClient(t)
-	clientOld := request.NewAPIClient(t, client.WithVersion("1.39"))
-
-	testCases := []struct {
-		doc           string
-		hostConfig    container.HostConfig
-		expected      []string
-		expectedError string
-		oldClient     bool
-	}{
-		{
-			doc:        "no capabilities",
-			hostConfig: container.HostConfig{},
-		},
-		{
-			doc: "empty capabilities",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{},
-			},
-			expected: []string{},
-		},
-		{
-			doc: "valid capabilities",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"},
-			},
-			expected: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"},
-		},
-		{
-			doc: "invalid capabilities",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"NET_RAW"},
-			},
-			expectedError: `invalid Capabilities: unknown capability: "NET_RAW"`,
-		},
-		{
-			doc: "duplicate capabilities",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_SYS_NICE", "CAP_SYS_NICE"},
-			},
-			expected: []string{"CAP_SYS_NICE", "CAP_SYS_NICE"},
-		},
-		{
-			doc: "capabilities API v1.39",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"},
-			},
-			expected:  nil,
-			oldClient: true,
-		},
-		{
-			doc: "empty capadd",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_ADMIN"},
-				CapAdd:       []string{},
-			},
-			expected: []string{"CAP_NET_ADMIN"},
-		},
-		{
-			doc: "empty capdrop",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_ADMIN"},
-				CapDrop:      []string{},
-			},
-			expected: []string{"CAP_NET_ADMIN"},
-		},
-		{
-			doc: "capadd capdrop",
-			hostConfig: container.HostConfig{
-				CapAdd:  []string{"SYS_NICE", "CAP_SYS_NICE"},
-				CapDrop: []string{"SYS_NICE", "CAP_SYS_NICE"},
-			},
-		},
-		{
-			doc: "conflict with capadd",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_ADMIN"},
-				CapAdd:       []string{"SYS_NICE"},
-			},
-			expectedError: `conflicting options: Capabilities and CapAdd`,
-		},
-		{
-			doc: "conflict with capdrop",
-			hostConfig: container.HostConfig{
-				Capabilities: []string{"CAP_NET_ADMIN"},
-				CapDrop:      []string{"NET_RAW"},
-			},
-			expectedError: `conflicting options: Capabilities and CapDrop`,
-		},
-	}
-
-	for _, tc := range testCases {
-		tc := tc
-		t.Run(tc.doc, func(t *testing.T) {
-			t.Parallel()
-			client := clientNew
-			if tc.oldClient {
-				client = clientOld
-			}
-
-			c, err := client.ContainerCreate(context.Background(),
-				&container.Config{Image: "busybox"},
-				&tc.hostConfig,
-				&network.NetworkingConfig{},
-				nil,
-				"",
-			)
-			if tc.expectedError == "" {
-				assert.NilError(t, err)
-				ci, err := client.ContainerInspect(ctx, c.ID)
-				assert.NilError(t, err)
-				assert.Check(t, ci.HostConfig != nil)
-				assert.DeepEqual(t, tc.expected, ci.HostConfig.Capabilities)
-			} else {
-				assert.ErrorContains(t, err, tc.expectedError)
-				assert.Check(t, errdefs.IsInvalidParameter(err))
-			}
-		})
-	}
-}
-
 func TestCreateWithCustomReadonlyPaths(t *testing.T) {
 	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
 

integration/internal/swarm/service.go

@@ -189,10 +189,11 @@ func ServiceWithSysctls(sysctls map[string]string) ServiceSpecOpt {
 }
 
 // ServiceWithCapabilities sets the Capabilities option of the service's ContainerSpec.
-func ServiceWithCapabilities(Capabilities []string) ServiceSpecOpt {
+func ServiceWithCapabilities(add []string, drop []string) ServiceSpecOpt {
 	return func(spec *swarmtypes.ServiceSpec) {
 		ensureContainerSpec(spec)
-		spec.TaskTemplate.ContainerSpec.Capabilities = Capabilities
+		spec.TaskTemplate.ContainerSpec.CapabilityAdd = add
+		spec.TaskTemplate.ContainerSpec.CapabilityDrop = drop
 	}
 }
 

integration/service/create_test.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/strslice"
 	swarmtypes "github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/client"
@@ -492,12 +493,13 @@ func TestCreateServiceCapabilities(t *testing.T) {
 	ctx := context.Background()
 
 	// store the map we're going to be using everywhere.
-	expectedCapabilities := []string{"CAP_NET_RAW", "CAP_SYS_CHROOT"}
+	capAdd := []string{"CAP_SYS_CHROOT"}
+	capDrop := []string{"CAP_NET_RAW"}
 
 	// Create the service with the capabilities options
 	var instances uint64 = 1
 	serviceID := swarm.CreateService(t, d,
-		swarm.ServiceWithCapabilities(expectedCapabilities),
+		swarm.ServiceWithCapabilities(capAdd, capDrop),
 	)
 
 	// wait for the service to converge to 1 running task as expected
@@ -529,15 +531,16 @@ func TestCreateServiceCapabilities(t *testing.T) {
 	// verify that the container has the capabilities option set
 	ctnr, err := client.ContainerInspect(ctx, tasks[0].Status.ContainerStatus.ContainerID)
 	assert.NilError(t, err)
-	assert.DeepEqual(t, ctnr.HostConfig.Capabilities, expectedCapabilities)
+	assert.DeepEqual(t, ctnr.HostConfig.CapAdd, strslice.StrSlice(capAdd))
+	assert.DeepEqual(t, ctnr.HostConfig.CapDrop, strslice.StrSlice(capDrop))
 
 	// verify that the task has the capabilities option set in the task object
-	assert.DeepEqual(t, tasks[0].Spec.ContainerSpec.Capabilities, expectedCapabilities)
+	assert.DeepEqual(t, tasks[0].Spec.ContainerSpec.CapabilityAdd, capAdd)
+	assert.DeepEqual(t, tasks[0].Spec.ContainerSpec.CapabilityDrop, capDrop)
 
 	// verify that the service also has the capabilities set in the spec.
 	service, _, err := client.ServiceInspectWithRaw(ctx, serviceID, types.ServiceInspectOptions{})
 	assert.NilError(t, err)
-	assert.DeepEqual(t,
-		service.Spec.TaskTemplate.ContainerSpec.Capabilities, expectedCapabilities,
-	)
+	assert.DeepEqual(t, service.Spec.TaskTemplate.ContainerSpec.CapabilityAdd, capAdd)
+	assert.DeepEqual(t, service.Spec.TaskTemplate.ContainerSpec.CapabilityDrop, capDrop)
 }

oci/caps/utils.go

@@ -117,17 +117,11 @@ func ValidateCapabilities(caps []string) error {
 
 // TweakCapabilities tweaks capabilities by adding, dropping, or overriding
 // capabilities in the basics capabilities list.
-func TweakCapabilities(basics, adds, drops, capabilities []string, privileged bool) ([]string, error) {
+func TweakCapabilities(basics, adds, drops []string, privileged bool) ([]string, error) {
 	switch {
 	case privileged:
 		// Privileged containers get all capabilities
 		return GetAllCapabilities(), nil
-	case capabilities != nil:
-		// Use custom set of capabilities
-		if err := ValidateCapabilities(capabilities); err != nil {
-			return nil, err
-		}
-		return capabilities, nil
 	case len(adds) == 0 && len(drops) == 0:
 		// Nothing to tweak; we're done
 		return basics, nil

vendor.conf

@@ -134,7 +134,7 @@ github.com/gogo/googleapis                          01e0f9cca9b92166042241267ee2
 github.com/cilium/ebpf                              60c3aa43f488292fe2ee50fb8b833b383ca8ebbb
 
 # cluster
-github.com/docker/swarmkit                          ebe39a32e3ed4c3a3783a02c11cccf388818694c
+github.com/docker/swarmkit                          035d564a3686f5e348d861ec0c074ff26854c498
 github.com/gogo/protobuf                            5628607bb4c51c3157aacc3a50f0ab707582b805 # v1.3.1
 github.com/golang/protobuf                          d23c5127dc24889085f8ccea5c9d560a57a879d8 # v1.3.3
 github.com/cloudflare/cfssl                         5d63dbd981b5c408effbb58c442d54761ff94fbd # 1.3.2

vendor/github.com/docker/swarmkit/api/specs.pb.go

@@ -1019,8 +1019,10 @@ type ContainerSpec struct {
 	//
 	// https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime
 	Sysctls map[string]string `protobuf:"bytes,26,rep,name=sysctls,proto3" json:"sysctls,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	// Capabilities is the list of Linux capabilities to be available for container (this overrides the default set of capabilities)
-	Capabilities []string `protobuf:"bytes,27,rep,name=capabilities,proto3" json:"capabilities,omitempty"`
+	// CapabilityAdd sets the list of capabilities to add to the default capability list
+	CapabilityAdd []string `protobuf:"bytes,27,rep,name=capability_add,json=capabilityAdd,proto3" json:"capability_add,omitempty"`
+	// CapabilityAdd sets the list of capabilities to drop from the default capability list
+	CapabilityDrop []string `protobuf:"bytes,28,rep,name=capability_drop,json=capabilityDrop,proto3" json:"capability_drop,omitempty"`
 }
 
 func (m *ContainerSpec) Reset()      { *m = ContainerSpec{} }
@@ -1501,151 +1503,152 @@ func init() {
 }
 
 var fileDescriptor_6589acc608f7d4fd = []byte{
-	// 2289 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0x4d, 0x73, 0x23, 0xb7,
-	0xd1, 0x26, 0x25, 0x8a, 0x1f, 0x3d, 0xa4, 0x96, 0x82, 0xd7, 0xf6, 0x88, 0x6b, 0x53, 0x34, 0xbd,
-	0xf6, 0x2b, 0xdb, 0xf5, 0x52, 0x15, 0xc5, 0xe5, 0xf8, 0x23, 0x4e, 0x42, 0x8a, 0xb4, 0x44, 0xef,
-	0xae, 0xc4, 0x02, 0x65, 0x25, 0x5b, 0x95, 0x2a, 0x16, 0x38, 0x03, 0x91, 0x13, 0x0d, 0x07, 0x13,
-	0x0c, 0x28, 0x9b, 0xb7, 0x1c, 0x5d, 0xca, 0x25, 0x7f, 0x40, 0xa7, 0x54, 0x4e, 0xb9, 0x24, 0xff,
-	0x62, 0x8f, 0x3e, 0x3a, 0x17, 0x55, 0xac, 0xfd, 0x09, 0xb9, 0xe5, 0x92, 0x14, 0x30, 0x98, 0x21,
-	0xa9, 0x25, 0x57, 0x9b, 0xca, 0x1e, 0x72, 0x03, 0x7a, 0x9e, 0xa7, 0xd1, 0x0d, 0x74, 0x37, 0x1a,
-	0x03, 0xef, 0x0f, 0x1c, 0x31, 0x1c, 0xf7, 0x6b, 0x16, 0x1b, 0xed, 0xd8, 0xcc, 0x3a, 0xa3, 0x7c,
-	0x27, 0xf8, 0x9a, 0xf0, 0xd1, 0x99, 0x23, 0x76, 0x88, 0xef, 0xec, 0x04, 0x3e, 0xb5, 0x82, 0x9a,
-	0xcf, 0x99, 0x60, 0x08, 0x85, 0x80, 0x5a, 0x04, 0xa8, 0x9d, 0xff, 0xa8, 0x74, 0x1b, 0x5f, 0x4c,
-	0x7c, 0xaa, 0xf9, 0xa5, 0xbb, 0x03, 0x36, 0x60, 0x6a, 0xb8, 0x23, 0x47, 0x5a, 0x5a, 0x1e, 0x30,
-	0x36, 0x70, 0xe9, 0x8e, 0x9a, 0xf5, 0xc7, 0xa7, 0x3b, 0xf6, 0x98, 0x13, 0xe1, 0x30, 0x4f, 0x7f,
-	0xdf, 0xbc, 0xf9, 0x9d, 0x78, 0x93, 0x65, 0xd4, 0xaf, 0x39, 0xf1, 0x7d, 0xca, 0xf5, 0x82, 0xd5,
-	0xcb, 0x14, 0x64, 0x0f, 0x99, 0x4d, 0xbb, 0x3e, 0xb5, 0xd0, 0x3e, 0x18, 0xc4, 0xf3, 0x98, 0x50,
-	0xba, 0x03, 0x33, 0x59, 0x49, 0x6e, 0x1b, 0xbb, 0x5b, 0xb5, 0x67, 0x7d, 0xaa, 0xd5, 0xa7, 0xb0,
-	0x46, 0xea, 0xc9, 0xd5, 0x56, 0x02, 0xcf, 0x32, 0xd1, 0xcf, 0x21, 0x6f, 0xd3, 0xc0, 0xe1, 0xd4,
-	0xee, 0x71, 0xe6, 0x52, 0x73, 0xa5, 0x92, 0xdc, 0x5e, 0xdf, 0x7d, 0x63, 0x91, 0x26, 0xb9, 0x38,
-	0x66, 0x2e, 0xc5, 0x86, 0x66, 0xc8, 0x09, 0xda, 0x07, 0x18, 0xd1, 0x51, 0x9f, 0xf2, 0x60, 0xe8,
-	0xf8, 0xe6, 0xaa, 0xa2, 0xff, 0xdf, 0x32, 0xba, 0xb4, 0xbd, 0xf6, 0x28, 0x86, 0xe3, 0x19, 0x2a,
-	0x7a, 0x04, 0x79, 0x72, 0x4e, 0x1c, 0x97, 0xf4, 0x1d, 0xd7, 0x11, 0x13, 0x33, 0xa5, 0x54, 0xbd,
-	0xf7, 0x5c, 0x55, 0xf5, 0x19, 0x02, 0x9e, 0xa3, 0x57, 0x6d, 0x80, 0xe9, 0x42, 0xe8, 0x5d, 0xc8,
-	0x74, 0x5a, 0x87, 0xcd, 0xf6, 0xe1, 0x7e, 0x31, 0x51, 0xda, 0xbc, 0xb8, 0xac, 0xbc, 0x2a, 0x75,
-	0x4c, 0x01, 0x1d, 0xea, 0xd9, 0x8e, 0x37, 0x40, 0xdb, 0x90, 0xad, 0xef, 0xed, 0xb5, 0x3a, 0xc7,
-	0xad, 0x66, 0x31, 0x59, 0x2a, 0x5d, 0x5c, 0x56, 0x5e, 0x9b, 0x07, 0xd6, 0x2d, 0x8b, 0xfa, 0x82,
-	0xda, 0xa5, 0xd4, 0xb7, 0x7f, 0x2c, 0x27, 0xaa, 0xdf, 0x26, 0x21, 0x3f, 0x6b, 0x04, 0x7a, 0x17,
-	0xd2, 0xf5, 0xbd, 0xe3, 0xf6, 0x49, 0xab, 0x98, 0x98, 0xd2, 0x67, 0x11, 0x75, 0x4b, 0x38, 0xe7,
-	0x14, 0xdd, 0x87, 0xb5, 0x4e, 0xfd, 0xab, 0x6e, 0xab, 0x98, 0x9c, 0x9a, 0x33, 0x0b, 0xeb, 0x90,
-	0x71, 0xa0, 0x50, 0x4d, 0x5c, 0x6f, 0x1f, 0x16, 0x57, 0x16, 0xa3, 0x9a, 0x9c, 0x38, 0x9e, 0x36,
-	0xe5, 0xcf, 0x6b, 0x60, 0x74, 0x29, 0x3f, 0x77, 0xac, 0x97, 0x1c, 0x22, 0x1f, 0x41, 0x4a, 0x90,
-	0xe0, 0x4c, 0x85, 0x86, 0xb1, 0x38, 0x34, 0x8e, 0x49, 0x70, 0x26, 0x17, 0xd5, 0x74, 0x85, 0x97,
-	0x91, 0xc1, 0xa9, 0xef, 0x3a, 0x16, 0x11, 0xd4, 0x56, 0x91, 0x61, 0xec, 0xbe, 0xb3, 0x88, 0x8d,
-	0x63, 0x94, 0xb6, 0xff, 0x20, 0x81, 0x67, 0xa8, 0xe8, 0x33, 0x48, 0x0f, 0x5c, 0xd6, 0x27, 0xae,
-	0x8a, 0x09, 0x63, 0xf7, 0xad, 0x45, 0x4a, 0xf6, 0x15, 0x62, 0xaa, 0x40, 0x53, 0xd0, 0x97, 0xb0,
-	0x3e, 0x55, 0xd5, 0xfb, 0x0d, 0xeb, 0x9b, 0xb0, 0x5c, 0xc9, 0xd4, 0x92, 0x2f, 0x59, 0xff, 0x20,
-	0x81, 0x0b, 0x7c, 0x56, 0x80, 0x7e, 0x06, 0x10, 0x6a, 0x55, 0x7a, 0x0c, 0xa5, 0xe7, 0xcd, 0xe5,
-	0xc6, 0x84, 0x3a, 0x72, 0x83, 0x68, 0x82, 0x3e, 0x86, 0xf4, 0xd8, 0xb7, 0x89, 0xa0, 0x66, 0x5a,
-	0x71, 0x2b, 0x8b, 0xb8, 0x5f, 0x29, 0xc4, 0x1e, 0xf3, 0x4e, 0x9d, 0x01, 0xd6, 0x78, 0xf4, 0x53,
-	0xc8, 0x72, 0xe6, 0xba, 0x7d, 0x62, 0x9d, 0x99, 0xb9, 0x17, 0xe4, 0xc6, 0x0c, 0xf4, 0x00, 0xb2,
-	0x1e, 0x15, 0x5f, 0x33, 0x7e, 0x16, 0x98, 0x99, 0xca, 0xea, 0xb6, 0xb1, 0xfb, 0xc1, 0xc2, 0xb4,
-	0x0a, 0x31, 0x75, 0x21, 0x88, 0x35, 0x1c, 0x51, 0x4f, 0x84, 0x8a, 0x1a, 0x2b, 0x66, 0x12, 0xc7,
-	0x0a, 0xa4, 0x29, 0xd4, 0xb3, 0x7d, 0xe6, 0x78, 0xc2, 0xcc, 0x2e, 0x37, 0xa5, 0xa5, 0x31, 0x32,
-	0x2c, 0x70, 0xcc, 0x68, 0xa4, 0x21, 0x35, 0x62, 0x36, 0xad, 0xee, 0xc0, 0xc6, 0x33, 0xc7, 0x8e,
-	0x4a, 0x90, 0xd5, 0x1b, 0x1e, 0xc6, 0x6b, 0x0a, 0xc7, 0xf3, 0xea, 0x1d, 0x28, 0xcc, 0x1d, 0x71,
-	0xd5, 0x82, 0xc2, 0xdc, 0x71, 0xa1, 0x77, 0x60, 0x7d, 0x44, 0xbe, 0xe9, 0x59, 0xcc, 0xb3, 0xc6,
-	0x9c, 0x53, 0x4f, 0x68, 0x1d, 0x85, 0x11, 0xf9, 0x66, 0x2f, 0x16, 0xa2, 0x0f, 0x60, 0x43, 0x30,
-	0x41, 0xdc, 0x9e, 0xc5, 0x46, 0xbe, 0x4b, 0xc3, 0xec, 0x58, 0x51, 0xc8, 0xa2, 0xfa, 0xb0, 0x37,
-	0x95, 0x57, 0x0d, 0xc8, 0xc5, 0x67, 0x59, 0xfd, 0xcb, 0x1a, 0x64, 0xa3, 0x48, 0x47, 0x0f, 0x00,
-	0x48, 0xbc, 0x51, 0x7a, 0x23, 0xde, 0x7b, 0xa1, 0x5d, 0x95, 0x74, 0x19, 0xe1, 0x53, 0x3a, 0xaa,
-	0x43, 0xce, 0x62, 0x9e, 0x20, 0x8e, 0x47, 0xb9, 0xce, 0xd4, 0x85, 0xf1, 0xb9, 0x17, 0x81, 0xb4,
-	0x8e, 0x29, 0x0b, 0x35, 0x20, 0x33, 0xa0, 0x1e, 0xe5, 0x8e, 0xa5, 0x03, 0xfc, 0xdd, 0x85, 0x81,
-	0x19, 0x42, 0xf0, 0xd8, 0x13, 0xce, 0x88, 0x6a, 0x2d, 0x11, 0x11, 0x7d, 0x01, 0x39, 0x4e, 0x03,
-	0x36, 0xe6, 0x16, 0x0d, 0x74, 0xba, 0x6f, 0x2f, 0x4e, 0x93, 0x10, 0x84, 0xe9, 0x6f, 0xc7, 0x0e,
-	0xa7, 0xd2, 0x85, 0x00, 0x4f, 0xa9, 0xe8, 0x33, 0xc8, 0x70, 0x1a, 0x08, 0xc2, 0xc5, 0xf3, 0x32,
-	0x16, 0x87, 0x90, 0x0e, 0x73, 0x1d, 0x6b, 0x82, 0x23, 0x06, 0xfa, 0x0c, 0x72, 0xbe, 0x4b, 0x2c,
-	0xa5, 0xd5, 0x5c, 0x5b, 0x9e, 0x63, 0x9d, 0x08, 0x84, 0xa7, 0x78, 0xf4, 0x09, 0x80, 0xcb, 0x06,
-	0x3d, 0x9b, 0x3b, 0xe7, 0x94, 0xeb, 0x2c, 0x2b, 0x2d, 0x62, 0x37, 0x15, 0x02, 0xe7, 0x5c, 0x36,
-	0x08, 0x87, 0x68, 0xff, 0xbf, 0x4a, 0x92, 0x99, 0x04, 0x79, 0x0b, 0xf2, 0xa7, 0x8c, 0x5b, 0xb4,
-	0xa7, 0x73, 0x3d, 0xa7, 0x62, 0xcb, 0x50, 0xb2, 0x30, 0x41, 0xd1, 0xaf, 0xe1, 0x95, 0x68, 0xb7,
-	0x7a, 0x9c, 0x9e, 0x52, 0x4e, 0x3d, 0xb9, 0xe5, 0x86, 0x5a, 0xf6, 0x9d, 0xe7, 0x6f, 0xb9, 0x46,
-	0xeb, 0x52, 0x8b, 0xf8, 0xcd, 0x0f, 0x41, 0x23, 0x07, 0x19, 0x1e, 0x1e, 0x70, 0xf5, 0xf7, 0x49,
-	0x99, 0x67, 0x37, 0x10, 0x68, 0x07, 0x8c, 0x78, 0x79, 0xc7, 0x56, 0x01, 0x97, 0x6b, 0xac, 0x5f,
-	0x5f, 0x6d, 0x41, 0x84, 0x6d, 0x37, 0x65, 0x05, 0xd6, 0x63, 0x1b, 0xb5, 0xa0, 0x10, 0x13, 0x64,
-	0x13, 0xa4, 0xdb, 0x84, 0xca, 0xf3, 0x2c, 0x3d, 0x9e, 0xf8, 0x14, 0xe7, 0xf9, 0xcc, 0xac, 0xfa,
-	0x2b, 0x40, 0xcf, 0x06, 0x20, 0x42, 0x90, 0x3a, 0x73, 0x3c, 0x6d, 0x06, 0x56, 0x63, 0x54, 0x83,
-	0x8c, 0x4f, 0x26, 0x2e, 0x23, 0xb6, 0x8e, 0xc3, 0xbb, 0xb5, 0xb0, 0x3d, 0xaa, 0x45, 0xed, 0x51,
-	0xad, 0xee, 0x4d, 0x70, 0x04, 0xaa, 0x3e, 0x80, 0x57, 0x17, 0xe6, 0x19, 0xda, 0x85, 0x7c, 0x9c,
-	0x23, 0x53, 0x5f, 0xef, 0x5c, 0x5f, 0x6d, 0x19, 0x71, 0x32, 0xb5, 0x9b, 0xd8, 0x88, 0x41, 0x6d,
-	0xbb, 0x7a, 0x51, 0x80, 0xc2, 0x5c, 0xa6, 0xa1, 0xbb, 0xb0, 0xe6, 0x8c, 0xc8, 0x80, 0x6a, 0x1b,
-	0xc3, 0x09, 0x6a, 0x41, 0xda, 0x25, 0x7d, 0xea, 0xca, 0x5c, 0x91, 0x07, 0xf7, 0xff, 0xb7, 0xa6,
-	0x6c, 0xed, 0xa1, 0xc2, 0xb7, 0x3c, 0xc1, 0x27, 0x58, 0x93, 0x91, 0x09, 0x19, 0x8b, 0x8d, 0x46,
-	0xc4, 0x93, 0x97, 0xe4, 0xea, 0x76, 0x0e, 0x47, 0x53, 0xb9, 0x33, 0x84, 0x0f, 0x02, 0x33, 0xa5,
-	0xc4, 0x6a, 0x2c, 0x6b, 0xe4, 0x90, 0x05, 0xc2, 0x23, 0x23, 0x6a, 0xae, 0x2b, 0x6b, 0xe2, 0x39,
-	0x2a, 0xc2, 0x2a, 0xf5, 0xce, 0xcd, 0x35, 0x05, 0x97, 0x43, 0x29, 0xb1, 0x9d, 0x30, 0x11, 0x72,
-	0x58, 0x0e, 0xa5, 0xce, 0x71, 0x40, 0xb9, 0x99, 0x09, 0x77, 0x5b, 0x8e, 0xd1, 0x6b, 0x90, 0x1e,
-	0x70, 0x36, 0xf6, 0xc3, 0x08, 0xcc, 0x61, 0x3d, 0x93, 0xf7, 0x9d, 0xcf, 0x9d, 0x73, 0xc7, 0xa5,
-	0x03, 0x1a, 0x98, 0xaf, 0xa9, 0x83, 0x28, 0x2f, 0xcc, 0xc5, 0x18, 0x85, 0x67, 0x18, 0xa8, 0x06,
-	0x29, 0xc7, 0x73, 0x84, 0xf9, 0xba, 0xce, 0xc3, 0x9b, 0x47, 0xd8, 0x60, 0xcc, 0x3d, 0x21, 0xee,
-	0x98, 0x62, 0x85, 0x43, 0x9b, 0xb0, 0x2a, 0xc4, 0xc4, 0x2c, 0x54, 0x92, 0xdb, 0xd9, 0x46, 0xe6,
-	0xfa, 0x6a, 0x6b, 0xf5, 0xf8, 0xf8, 0x31, 0x96, 0x32, 0xf4, 0x26, 0x00, 0xf3, 0xa9, 0xd7, 0x0b,
-	0x84, 0xed, 0x78, 0x26, 0x92, 0x08, 0x9c, 0x93, 0x92, 0xae, 0x14, 0xa0, 0x7b, 0xb2, 0x72, 0x11,
-	0xbb, 0xc7, 0x3c, 0x77, 0x62, 0xbe, 0xa2, 0xbe, 0x66, 0xa5, 0xe0, 0xc8, 0x73, 0x27, 0x68, 0x0b,
-	0x8c, 0x40, 0x30, 0xbf, 0x17, 0x38, 0x03, 0x8f, 0xb8, 0xe6, 0x5d, 0xe5, 0x39, 0x48, 0x51, 0x57,
-	0x49, 0xd0, 0x4f, 0x20, 0x3d, 0x62, 0x63, 0x4f, 0x04, 0x66, 0x56, 0x1d, 0xe4, 0xe6, 0x22, 0x1f,
-	0x1f, 0x49, 0x84, 0xce, 0x3a, 0x0d, 0x47, 0x2d, 0xd8, 0x50, 0x9a, 0x07, 0x9c, 0x58, 0xb4, 0xe7,
-	0x53, 0xee, 0x30, 0x5b, 0xdf, 0xcf, 0x9b, 0xcf, 0x78, 0xdb, 0xd4, 0x4f, 0x01, 0x7c, 0x47, 0x72,
-	0xf6, 0x25, 0xa5, 0xa3, 0x18, 0xa8, 0x03, 0x79, 0x7f, 0xec, 0xba, 0x3d, 0xe6, 0x87, 0xb7, 0x51,
-	0x58, 0xc0, 0x5f, 0x20, 0x9c, 0x3a, 0x63, 0xd7, 0x3d, 0x0a, 0x49, 0xd8, 0xf0, 0xa7, 0x13, 0xf4,
-	0x39, 0x64, 0x02, 0x6a, 0x71, 0x2a, 0x02, 0x33, 0xaf, 0x5c, 0x7a, 0x7b, 0x91, 0xb2, 0xae, 0x82,
-	0xc4, 0x75, 0x01, 0x47, 0x1c, 0x49, 0xb7, 0x54, 0x59, 0x0b, 0xcc, 0x57, 0x97, 0xd3, 0x75, 0xe5,
-	0x9b, 0xd2, 0x35, 0x47, 0xa6, 0x8b, 0x8c, 0xc9, 0xc0, 0xdc, 0x50, 0xe1, 0x14, 0x4e, 0xd0, 0x63,
-	0x00, 0xdb, 0x0b, 0x7a, 0x21, 0xc8, 0xbc, 0xa3, 0x7c, 0xfc, 0xe0, 0x76, 0x1f, 0x9b, 0x87, 0x5d,
-	0xdd, 0x87, 0x14, 0xae, 0xaf, 0xb6, 0x72, 0xf1, 0x14, 0xe7, 0x6c, 0x2f, 0x08, 0x87, 0xa8, 0x01,
-	0xc6, 0x90, 0x12, 0x57, 0x0c, 0xad, 0x21, 0xb5, 0xce, 0xcc, 0xe2, 0xf2, 0xb6, 0xe4, 0x40, 0xc1,
-	0xb4, 0x86, 0x59, 0x12, 0x6a, 0x43, 0xce, 0x09, 0x98, 0xab, 0x8e, 0xc8, 0x34, 0x55, 0x7d, 0x7b,
-	0x01, 0xeb, 0xda, 0x11, 0x05, 0x4f, 0xd9, 0xe8, 0x0d, 0xc8, 0xf9, 0x8e, 0x1d, 0x3c, 0x74, 0x46,
-	0x8e, 0x30, 0x37, 0x2b, 0xc9, 0xed, 0x55, 0x3c, 0x15, 0xa0, 0x03, 0xc8, 0x04, 0x93, 0xc0, 0x12,
-	0x6e, 0x60, 0x96, 0xd4, 0xe6, 0xd6, 0x6e, 0x5f, 0xa6, 0x1b, 0x12, 0xc2, 0xc2, 0x11, 0xd1, 0x51,
-	0x15, 0xf2, 0x16, 0xf1, 0xc3, 0xb7, 0x80, 0x43, 0x03, 0xf3, 0x9e, 0xda, 0xee, 0x39, 0x59, 0xe9,
-	0x13, 0x30, 0x66, 0x8a, 0x8e, 0x2c, 0x08, 0x67, 0x74, 0xa2, 0xeb, 0x98, 0x1c, 0xca, 0xc3, 0x3a,
-	0x97, 0x39, 0xa8, 0x0a, 0x6d, 0x0e, 0x87, 0x93, 0x4f, 0x57, 0x3e, 0x4e, 0x96, 0x76, 0xc1, 0x98,
-	0x09, 0x30, 0xf4, 0xb6, 0xbc, 0x04, 0x06, 0x4e, 0x20, 0xf8, 0xa4, 0x47, 0xc6, 0x62, 0x68, 0xfe,
-	0x42, 0x11, 0xf2, 0x91, 0xb0, 0x3e, 0x16, 0xc3, 0x52, 0x0f, 0xa6, 0x27, 0x84, 0x2a, 0x60, 0xc8,
-	0xba, 0x14, 0x50, 0x7e, 0x4e, 0xb9, 0x6c, 0xe9, 0xa4, 0x79, 0xb3, 0x22, 0x59, 0x79, 0x02, 0x4a,
-	0xb8, 0x35, 0x54, 0x25, 0x34, 0x87, 0xf5, 0x4c, 0xd6, 0xc4, 0x28, 0x19, 0x74, 0x4d, 0xd4, 0xd3,
-	0xd2, 0xa7, 0x90, 0x9f, 0xdd, 0x8c, 0xff, 0xc4, 0xa1, 0xea, 0x5f, 0x93, 0x90, 0x8b, 0x0f, 0x0c,
-	0x7d, 0x08, 0x1b, 0xed, 0xee, 0xd1, 0xc3, 0xfa, 0x71, 0xfb, 0xe8, 0xb0, 0xd7, 0x6c, 0x7d, 0x51,
-	0xff, 0xea, 0xe1, 0x71, 0x31, 0x51, 0x7a, 0xf3, 0xe2, 0xb2, 0xb2, 0x39, 0xbd, 0x1b, 0x22, 0x78,
-	0x93, 0x9e, 0x92, 0xb1, 0x2b, 0xe6, 0x59, 0x1d, 0x7c, 0xb4, 0xd7, 0xea, 0x76, 0x8b, 0xc9, 0x65,
-	0xac, 0x0e, 0x67, 0x16, 0x0d, 0x02, 0xb4, 0x0b, 0xc5, 0x29, 0xeb, 0xe0, 0x71, 0xa7, 0x85, 0x4f,
-	0x8a, 0x2b, 0xa5, 0x37, 0x2e, 0x2e, 0x2b, 0xe6, 0xb3, 0xa4, 0x83, 0x89, 0x4f, 0xf9, 0x89, 0x7e,
-	0xd6, 0xfd, 0x23, 0x09, 0xf9, 0xd9, 0x5e, 0x1a, 0xed, 0x85, 0x1d, 0xb4, 0xf2, 0x78, 0x7d, 0x77,
-	0xe7, 0xb6, 0xde, 0x5b, 0xdd, 0xc7, 0xee, 0x58, 0xea, 0x7d, 0x24, 0x1f, 0xf0, 0x8a, 0x8c, 0x3e,
-	0x84, 0x35, 0x9f, 0x71, 0x11, 0xdd, 0x5c, 0x8b, 0x8b, 0x3a, 0xe3, 0x51, 0x73, 0x13, 0x82, 0xab,
-	0x43, 0x58, 0x9f, 0xd7, 0x86, 0xee, 0xc3, 0xea, 0x49, 0xbb, 0x53, 0x4c, 0x94, 0xee, 0x5d, 0x5c,
-	0x56, 0x5e, 0x9f, 0xff, 0x78, 0xe2, 0x70, 0x31, 0x26, 0x6e, 0xbb, 0x83, 0xde, 0x87, 0xb5, 0xe6,
-	0x61, 0x17, 0xe3, 0x62, 0xb2, 0xb4, 0x75, 0x71, 0x59, 0xb9, 0x37, 0x8f, 0x93, 0x9f, 0xd8, 0xd8,
-	0xb3, 0x31, 0xeb, 0xc7, 0x8f, 0xd9, 0x7f, 0xae, 0x80, 0xa1, 0x2f, 0xf4, 0x97, 0xfd, 0xbf, 0xa3,
-	0x10, 0x36, 0x87, 0x51, 0x1d, 0x5a, 0xb9, 0xb5, 0x47, 0xcc, 0x87, 0x04, 0x1d, 0xd3, 0x6f, 0x41,
-	0xde, 0xf1, 0xcf, 0x3f, 0xea, 0x51, 0x8f, 0xf4, 0x5d, 0xfd, 0xae, 0xcd, 0x62, 0x43, 0xca, 0x5a,
-	0xa1, 0x48, 0x5e, 0xd1, 0x8e, 0x27, 0x28, 0xf7, 0xf4, 0x8b, 0x35, 0x8b, 0xe3, 0x39, 0xfa, 0x1c,
-	0x52, 0x8e, 0x4f, 0x46, 0xba, 0xb1, 0x5d, 0xe8, 0x41, 0xbb, 0x53, 0x7f, 0xa4, 0x73, 0xae, 0x91,
-	0xbd, 0xbe, 0xda, 0x4a, 0x49, 0x01, 0x56, 0x34, 0x54, 0x8e, 0x5e, 0x1d, 0x72, 0x25, 0x75, 0xad,
-	0x67, 0xf1, 0x8c, 0x44, 0xe6, 0x8d, 0xe3, 0x0d, 0x38, 0x0d, 0x02, 0x75, 0xc1, 0x67, 0x71, 0x34,
-	0x45, 0x25, 0xc8, 0xe8, 0x0e, 0x55, 0x3d, 0x56, 0x72, 0xb2, 0xef, 0xd7, 0x82, 0x46, 0x01, 0x8c,
-	0x70, 0x37, 0x7a, 0xa7, 0x9c, 0x8d, 0xaa, 0xff, 0x4a, 0x81, 0xb1, 0xe7, 0x8e, 0x03, 0xa1, 0xbb,
-	0x9f, 0x97, 0xb6, 0xf9, 0x8f, 0x61, 0x83, 0xa8, 0xff, 0x27, 0xc4, 0x93, 0xd7, 0xa5, 0x6a, 0xfc,
-	0xf5, 0x01, 0xdc, 0x5f, 0xa8, 0x2e, 0x06, 0x87, 0x8f, 0x84, 0x46, 0x5a, 0xea, 0x34, 0x93, 0xb8,
-	0x48, 0x6e, 0x7c, 0x41, 0x5d, 0x28, 0x30, 0x6e, 0x0d, 0x69, 0x20, 0xc2, 0x4b, 0x56, 0xff, 0x6f,
-	0x58, 0xf8, 0x27, 0xea, 0x68, 0x16, 0xa8, 0xef, 0x96, 0xd0, 0xda, 0x79, 0x1d, 0xe8, 0x63, 0x48,
-	0x71, 0x72, 0x1a, 0x3d, 0x62, 0x16, 0x26, 0x09, 0x26, 0xa7, 0x62, 0x4e, 0x85, 0x62, 0xa0, 0x2f,
-	0x01, 0x6c, 0x27, 0xf0, 0x89, 0xb0, 0x86, 0x94, 0xeb, 0xc3, 0x5e, 0xe8, 0x62, 0x33, 0x46, 0xcd,
-	0x69, 0x99, 0x61, 0xa3, 0x07, 0x90, 0xb3, 0x48, 0x14, 0xae, 0xe9, 0xe5, 0x3f, 0x61, 0xf6, 0xea,
-	0x5a, 0x45, 0x51, 0xaa, 0xb8, 0xbe, 0xda, 0xca, 0x46, 0x12, 0x9c, 0xb5, 0x88, 0x0e, 0xdf, 0x07,
-	0x50, 0x10, 0x24, 0x38, 0xeb, 0xd9, 0x61, 0x39, 0x0b, 0xc3, 0x64, 0xc9, 0x5d, 0x29, 0xdf, 0xba,
-	0xba, 0xec, 0x45, 0xc7, 0x99, 0x17, 0x33, 0x32, 0xf4, 0x4b, 0xd8, 0xa0, 0x9e, 0xc5, 0x27, 0x2a,
-	0x58, 0x23, 0x0b, 0xb3, 0xcb, 0x9d, 0x6d, 0xc5, 0xe0, 0x39, 0x67, 0x8b, 0xf4, 0x86, 0xbc, 0xfa,
-	0xb7, 0x24, 0x40, 0xd8, 0x9c, 0xbc, 0xdc, 0x00, 0x44, 0x90, 0xb2, 0x89, 0x20, 0x2a, 0xe6, 0xf2,
-	0x58, 0x8d, 0xd1, 0xa7, 0x00, 0x82, 0x8e, 0x7c, 0x59, 0x7a, 0xbd, 0x81, 0x0e, 0x9b, 0xe7, 0x95,
-	0x83, 0x19, 0x34, 0xda, 0x85, 0xb4, 0x7e, 0x6a, 0xa6, 0x6e, 0xe5, 0x69, 0x64, 0xf5, 0x4f, 0x49,
-	0x80, 0xd0, 0xcd, 0xff, 0x69, 0xdf, 0x1a, 0xf7, 0x9f, 0xfc, 0x50, 0x4e, 0x7c, 0xff, 0x43, 0x39,
-	0xf1, 0xbb, 0xeb, 0x72, 0xf2, 0xc9, 0x75, 0x39, 0xf9, 0xdd, 0x75, 0x39, 0xf9, 0xf7, 0xeb, 0x72,
-	0xf2, 0x0f, 0x4f, 0xcb, 0x89, 0xef, 0x9e, 0x96, 0x13, 0xdf, 0x3f, 0x2d, 0x27, 0xfa, 0x69, 0xd5,
-	0xde, 0xfe, 0xf8, 0xdf, 0x01, 0x00, 0x00, 0xff, 0xff, 0x91, 0x6d, 0x50, 0x31, 0x7b, 0x17, 0x00,
-	0x00,
+	// 2311 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0x4d, 0x73, 0x1b, 0xc7,
+	0xd1, 0x06, 0x48, 0x10, 0x1f, 0xbd, 0x00, 0x05, 0x8e, 0x65, 0x7b, 0x09, 0xc9, 0x20, 0x0c, 0xcb,
+	0x36, 0x6d, 0xd7, 0x0b, 0xd6, 0xcb, 0xb8, 0x1c, 0x7f, 0xc4, 0x49, 0x00, 0x02, 0x96, 0x60, 0x49,
+	0x14, 0x6a, 0x40, 0x2b, 0x51, 0x55, 0xaa, 0x50, 0x83, 0xdd, 0x21, 0xb0, 0xe1, 0x62, 0x67, 0x33,
+	0x3b, 0xa0, 0x8d, 0x5b, 0x8e, 0x2e, 0xe6, 0x92, 0x3f, 0xc0, 0x53, 0x2a, 0xa7, 0x5c, 0x92, 0x4b,
+	0x7e, 0x83, 0x8f, 0x3e, 0x3a, 0x17, 0x56, 0x4c, 0xff, 0x84, 0xdc, 0x72, 0x49, 0x6a, 0x66, 0x67,
+	0x17, 0x0b, 0x0a, 0x10, 0x95, 0x8a, 0x0e, 0xb9, 0xcd, 0xf4, 0x3e, 0x4f, 0x4f, 0xf7, 0x4c, 0x77,
+	0x4f, 0xcf, 0xc2, 0xbb, 0x23, 0x47, 0x8c, 0xa7, 0xc3, 0x86, 0xc5, 0x26, 0x7b, 0x36, 0xb3, 0x4e,
+	0x28, 0xdf, 0x0b, 0xbe, 0x24, 0x7c, 0x72, 0xe2, 0x88, 0x3d, 0xe2, 0x3b, 0x7b, 0x81, 0x4f, 0xad,
+	0xa0, 0xe1, 0x73, 0x26, 0x18, 0x42, 0x21, 0xa0, 0x11, 0x01, 0x1a, 0xa7, 0xff, 0x5f, 0xb9, 0x8e,
+	0x2f, 0x66, 0x3e, 0xd5, 0xfc, 0xca, 0xcd, 0x11, 0x1b, 0x31, 0x35, 0xdc, 0x93, 0x23, 0x2d, 0xad,
+	0x8e, 0x18, 0x1b, 0xb9, 0x74, 0x4f, 0xcd, 0x86, 0xd3, 0xe3, 0x3d, 0x7b, 0xca, 0x89, 0x70, 0x98,
+	0xa7, 0xbf, 0x6f, 0x5f, 0xfd, 0x4e, 0xbc, 0xd9, 0x2a, 0xea, 0x97, 0x9c, 0xf8, 0x3e, 0xe5, 0x7a,
+	0xc1, 0xfa, 0x79, 0x06, 0xf2, 0x87, 0xcc, 0xa6, 0x7d, 0x9f, 0x5a, 0xe8, 0x2e, 0x18, 0xc4, 0xf3,
+	0x98, 0x50, 0xba, 0x03, 0x33, 0x5d, 0x4b, 0xef, 0x1a, 0xfb, 0x3b, 0x8d, 0xa7, 0x7d, 0x6a, 0x34,
+	0xe7, 0xb0, 0x56, 0xe6, 0x9b, 0x8b, 0x9d, 0x14, 0x4e, 0x32, 0xd1, 0xcf, 0xa0, 0x68, 0xd3, 0xc0,
+	0xe1, 0xd4, 0x1e, 0x70, 0xe6, 0x52, 0x73, 0xad, 0x96, 0xde, 0xdd, 0xdc, 0xbf, 0xbd, 0x4c, 0x93,
+	0x5c, 0x1c, 0x33, 0x97, 0x62, 0x43, 0x33, 0xe4, 0x04, 0xdd, 0x05, 0x98, 0xd0, 0xc9, 0x90, 0xf2,
+	0x60, 0xec, 0xf8, 0xe6, 0xba, 0xa2, 0xbf, 0xbd, 0x8a, 0x2e, 0x6d, 0x6f, 0x3c, 0x8c, 0xe1, 0x38,
+	0x41, 0x45, 0x0f, 0xa1, 0x48, 0x4e, 0x89, 0xe3, 0x92, 0xa1, 0xe3, 0x3a, 0x62, 0x66, 0x66, 0x94,
+	0xaa, 0x77, 0x9e, 0xa9, 0xaa, 0x99, 0x20, 0xe0, 0x05, 0x7a, 0xdd, 0x06, 0x98, 0x2f, 0x84, 0xde,
+	0x82, 0x5c, 0xaf, 0x73, 0xd8, 0xee, 0x1e, 0xde, 0x2d, 0xa7, 0x2a, 0xdb, 0x67, 0xe7, 0xb5, 0x97,
+	0xa5, 0x8e, 0x39, 0xa0, 0x47, 0x3d, 0xdb, 0xf1, 0x46, 0x68, 0x17, 0xf2, 0xcd, 0x83, 0x83, 0x4e,
+	0xef, 0xa8, 0xd3, 0x2e, 0xa7, 0x2b, 0x95, 0xb3, 0xf3, 0xda, 0x2b, 0x8b, 0xc0, 0xa6, 0x65, 0x51,
+	0x5f, 0x50, 0xbb, 0x92, 0xf9, 0xfa, 0x0f, 0xd5, 0x54, 0xfd, 0xeb, 0x34, 0x14, 0x93, 0x46, 0xa0,
+	0xb7, 0x20, 0xdb, 0x3c, 0x38, 0xea, 0x3e, 0xee, 0x94, 0x53, 0x73, 0x7a, 0x12, 0xd1, 0xb4, 0x84,
+	0x73, 0x4a, 0xd1, 0x1d, 0xd8, 0xe8, 0x35, 0xbf, 0xe8, 0x77, 0xca, 0xe9, 0xb9, 0x39, 0x49, 0x58,
+	0x8f, 0x4c, 0x03, 0x85, 0x6a, 0xe3, 0x66, 0xf7, 0xb0, 0xbc, 0xb6, 0x1c, 0xd5, 0xe6, 0xc4, 0xf1,
+	0xb4, 0x29, 0x7f, 0xda, 0x00, 0xa3, 0x4f, 0xf9, 0xa9, 0x63, 0xbd, 0xe0, 0x10, 0xf9, 0x00, 0x32,
+	0x82, 0x04, 0x27, 0x2a, 0x34, 0x8c, 0xe5, 0xa1, 0x71, 0x44, 0x82, 0x13, 0xb9, 0xa8, 0xa6, 0x2b,
+	0xbc, 0x8c, 0x0c, 0x4e, 0x7d, 0xd7, 0xb1, 0x88, 0xa0, 0xb6, 0x8a, 0x0c, 0x63, 0xff, 0xcd, 0x65,
+	0x6c, 0x1c, 0xa3, 0xb4, 0xfd, 0xf7, 0x52, 0x38, 0x41, 0x45, 0x9f, 0x40, 0x76, 0xe4, 0xb2, 0x21,
+	0x71, 0x55, 0x4c, 0x18, 0xfb, 0xaf, 0x2f, 0x53, 0x72, 0x57, 0x21, 0xe6, 0x0a, 0x34, 0x05, 0x7d,
+	0x0e, 0x9b, 0x73, 0x55, 0x83, 0x5f, 0xb3, 0xa1, 0x09, 0xab, 0x95, 0xcc, 0x2d, 0xf9, 0x9c, 0x0d,
+	0xef, 0xa5, 0x70, 0x89, 0x27, 0x05, 0xe8, 0xa7, 0x00, 0xa1, 0x56, 0xa5, 0xc7, 0x50, 0x7a, 0x5e,
+	0x5b, 0x6d, 0x4c, 0xa8, 0xa3, 0x30, 0x8a, 0x26, 0xe8, 0x43, 0xc8, 0x4e, 0x7d, 0x9b, 0x08, 0x6a,
+	0x66, 0x15, 0xb7, 0xb6, 0x8c, 0xfb, 0x85, 0x42, 0x1c, 0x30, 0xef, 0xd8, 0x19, 0x61, 0x8d, 0x47,
+	0x3f, 0x81, 0x3c, 0x67, 0xae, 0x3b, 0x24, 0xd6, 0x89, 0x59, 0x78, 0x4e, 0x6e, 0xcc, 0x40, 0xf7,
+	0x21, 0xef, 0x51, 0xf1, 0x25, 0xe3, 0x27, 0x81, 0x99, 0xab, 0xad, 0xef, 0x1a, 0xfb, 0xef, 0x2d,
+	0x4d, 0xab, 0x10, 0xd3, 0x14, 0x82, 0x58, 0xe3, 0x09, 0xf5, 0x44, 0xa8, 0xa8, 0xb5, 0x66, 0xa6,
+	0x71, 0xac, 0x40, 0x9a, 0x42, 0x3d, 0xdb, 0x67, 0x8e, 0x27, 0xcc, 0xfc, 0x6a, 0x53, 0x3a, 0x1a,
+	0x23, 0xc3, 0x02, 0xc7, 0x8c, 0x56, 0x16, 0x32, 0x13, 0x66, 0xd3, 0xfa, 0x1e, 0x6c, 0x3d, 0x75,
+	0xec, 0xa8, 0x02, 0x79, 0xbd, 0xe1, 0x61, 0xbc, 0x66, 0x70, 0x3c, 0xaf, 0xdf, 0x80, 0xd2, 0xc2,
+	0x11, 0xd7, 0x2d, 0x28, 0x2d, 0x1c, 0x17, 0x7a, 0x13, 0x36, 0x27, 0xe4, 0xab, 0x81, 0xc5, 0x3c,
+	0x6b, 0xca, 0x39, 0xf5, 0x84, 0xd6, 0x51, 0x9a, 0x90, 0xaf, 0x0e, 0x62, 0x21, 0x7a, 0x0f, 0xb6,
+	0x04, 0x13, 0xc4, 0x1d, 0x58, 0x6c, 0xe2, 0xbb, 0x34, 0xcc, 0x8e, 0x35, 0x85, 0x2c, 0xab, 0x0f,
+	0x07, 0x73, 0x79, 0xdd, 0x80, 0x42, 0x7c, 0x96, 0xf5, 0x3f, 0x6f, 0x40, 0x3e, 0x8a, 0x74, 0x74,
+	0x1f, 0x80, 0xc4, 0x1b, 0xa5, 0x37, 0xe2, 0x9d, 0xe7, 0xda, 0x55, 0x49, 0x97, 0x11, 0x3e, 0xa7,
+	0xa3, 0x26, 0x14, 0x2c, 0xe6, 0x09, 0xe2, 0x78, 0x94, 0xeb, 0x4c, 0x5d, 0x1a, 0x9f, 0x07, 0x11,
+	0x48, 0xeb, 0x98, 0xb3, 0x50, 0x0b, 0x72, 0x23, 0xea, 0x51, 0xee, 0x58, 0x3a, 0xc0, 0xdf, 0x5a,
+	0x1a, 0x98, 0x21, 0x04, 0x4f, 0x3d, 0xe1, 0x4c, 0xa8, 0xd6, 0x12, 0x11, 0xd1, 0x67, 0x50, 0xe0,
+	0x34, 0x60, 0x53, 0x6e, 0xd1, 0x40, 0xa7, 0xfb, 0xee, 0xf2, 0x34, 0x09, 0x41, 0x98, 0xfe, 0x66,
+	0xea, 0x70, 0x2a, 0x5d, 0x08, 0xf0, 0x9c, 0x8a, 0x3e, 0x81, 0x1c, 0xa7, 0x81, 0x20, 0x5c, 0x3c,
+	0x2b, 0x63, 0x71, 0x08, 0xe9, 0x31, 0xd7, 0xb1, 0x66, 0x38, 0x62, 0xa0, 0x4f, 0xa0, 0xe0, 0xbb,
+	0xc4, 0x52, 0x5a, 0xcd, 0x8d, 0xd5, 0x39, 0xd6, 0x8b, 0x40, 0x78, 0x8e, 0x47, 0x1f, 0x01, 0xb8,
+	0x6c, 0x34, 0xb0, 0xb9, 0x73, 0x4a, 0xb9, 0xce, 0xb2, 0xca, 0x32, 0x76, 0x5b, 0x21, 0x70, 0xc1,
+	0x65, 0xa3, 0x70, 0x88, 0xee, 0xfe, 0x57, 0x49, 0x92, 0x48, 0x90, 0xd7, 0xa1, 0x78, 0xcc, 0xb8,
+	0x45, 0x07, 0x3a, 0xd7, 0x0b, 0x2a, 0xb6, 0x0c, 0x25, 0x0b, 0x13, 0x14, 0xfd, 0x0a, 0x5e, 0x8a,
+	0x76, 0x6b, 0xc0, 0xe9, 0x31, 0xe5, 0xd4, 0x93, 0x5b, 0x6e, 0xa8, 0x65, 0xdf, 0x7c, 0xf6, 0x96,
+	0x6b, 0xb4, 0x2e, 0xb5, 0x88, 0x5f, 0xfd, 0x10, 0xb4, 0x0a, 0x90, 0xe3, 0xe1, 0x01, 0xd7, 0x7f,
+	0x97, 0x96, 0x79, 0x76, 0x05, 0x81, 0xf6, 0xc0, 0x88, 0x97, 0x77, 0x6c, 0x15, 0x70, 0x85, 0xd6,
+	0xe6, 0xe5, 0xc5, 0x0e, 0x44, 0xd8, 0x6e, 0x5b, 0x56, 0x60, 0x3d, 0xb6, 0x51, 0x07, 0x4a, 0x31,
+	0x41, 0x36, 0x41, 0xba, 0x4d, 0xa8, 0x3d, 0xcb, 0xd2, 0xa3, 0x99, 0x4f, 0x71, 0x91, 0x27, 0x66,
+	0xf5, 0x5f, 0x02, 0x7a, 0x3a, 0x00, 0x11, 0x82, 0xcc, 0x89, 0xe3, 0x69, 0x33, 0xb0, 0x1a, 0xa3,
+	0x06, 0xe4, 0x7c, 0x32, 0x73, 0x19, 0xb1, 0x75, 0x1c, 0xde, 0x6c, 0x84, 0xed, 0x51, 0x23, 0x6a,
+	0x8f, 0x1a, 0x4d, 0x6f, 0x86, 0x23, 0x50, 0xfd, 0x3e, 0xbc, 0xbc, 0x34, 0xcf, 0xd0, 0x3e, 0x14,
+	0xe3, 0x1c, 0x99, 0xfb, 0x7a, 0xe3, 0xf2, 0x62, 0xc7, 0x88, 0x93, 0xa9, 0xdb, 0xc6, 0x46, 0x0c,
+	0xea, 0xda, 0xf5, 0xbf, 0x96, 0xa0, 0xb4, 0x90, 0x69, 0xe8, 0x26, 0x6c, 0x38, 0x13, 0x32, 0xa2,
+	0xda, 0xc6, 0x70, 0x82, 0x3a, 0x90, 0x75, 0xc9, 0x90, 0xba, 0x32, 0x57, 0xe4, 0xc1, 0xfd, 0xdf,
+	0xb5, 0x29, 0xdb, 0x78, 0xa0, 0xf0, 0x1d, 0x4f, 0xf0, 0x19, 0xd6, 0x64, 0x64, 0x42, 0xce, 0x62,
+	0x93, 0x09, 0xf1, 0xe4, 0x25, 0xb9, 0xbe, 0x5b, 0xc0, 0xd1, 0x54, 0xee, 0x0c, 0xe1, 0xa3, 0xc0,
+	0xcc, 0x28, 0xb1, 0x1a, 0xcb, 0x1a, 0x39, 0x66, 0x81, 0xf0, 0xc8, 0x84, 0x9a, 0x9b, 0xca, 0x9a,
+	0x78, 0x8e, 0xca, 0xb0, 0x4e, 0xbd, 0x53, 0x73, 0x43, 0xc1, 0xe5, 0x50, 0x4a, 0x6c, 0x27, 0x4c,
+	0x84, 0x02, 0x96, 0x43, 0xa9, 0x73, 0x1a, 0x50, 0x6e, 0xe6, 0xc2, 0xdd, 0x96, 0x63, 0xf4, 0x0a,
+	0x64, 0x47, 0x9c, 0x4d, 0xfd, 0x30, 0x02, 0x0b, 0x58, 0xcf, 0xe4, 0x7d, 0xe7, 0x73, 0xe7, 0xd4,
+	0x71, 0xe9, 0x88, 0x06, 0xe6, 0x2b, 0xea, 0x20, 0xaa, 0x4b, 0x73, 0x31, 0x46, 0xe1, 0x04, 0x03,
+	0x35, 0x20, 0xe3, 0x78, 0x8e, 0x30, 0x5f, 0xd5, 0x79, 0x78, 0xf5, 0x08, 0x5b, 0x8c, 0xb9, 0x8f,
+	0x89, 0x3b, 0xa5, 0x58, 0xe1, 0xd0, 0x36, 0xac, 0x0b, 0x31, 0x33, 0x4b, 0xb5, 0xf4, 0x6e, 0xbe,
+	0x95, 0xbb, 0xbc, 0xd8, 0x59, 0x3f, 0x3a, 0x7a, 0x82, 0xa5, 0x0c, 0xbd, 0x06, 0xc0, 0x7c, 0xea,
+	0x0d, 0x02, 0x61, 0x3b, 0x9e, 0x89, 0x24, 0x02, 0x17, 0xa4, 0xa4, 0x2f, 0x05, 0xe8, 0x96, 0xac,
+	0x5c, 0xc4, 0x1e, 0x30, 0xcf, 0x9d, 0x99, 0x2f, 0xa9, 0xaf, 0x79, 0x29, 0x78, 0xe4, 0xb9, 0x33,
+	0xb4, 0x03, 0x46, 0x20, 0x98, 0x3f, 0x08, 0x9c, 0x91, 0x47, 0x5c, 0xf3, 0xa6, 0xf2, 0x1c, 0xa4,
+	0xa8, 0xaf, 0x24, 0xe8, 0xc7, 0x90, 0x9d, 0xb0, 0xa9, 0x27, 0x02, 0x33, 0xaf, 0x0e, 0x72, 0x7b,
+	0x99, 0x8f, 0x0f, 0x25, 0x42, 0x67, 0x9d, 0x86, 0xa3, 0x0e, 0x6c, 0x29, 0xcd, 0x23, 0x4e, 0x2c,
+	0x3a, 0xf0, 0x29, 0x77, 0x98, 0xad, 0xef, 0xe7, 0xed, 0xa7, 0xbc, 0x6d, 0xeb, 0xa7, 0x00, 0xbe,
+	0x21, 0x39, 0x77, 0x25, 0xa5, 0xa7, 0x18, 0xa8, 0x07, 0x45, 0x7f, 0xea, 0xba, 0x03, 0xe6, 0x87,
+	0xb7, 0x51, 0x58, 0xc0, 0x9f, 0x23, 0x9c, 0x7a, 0x53, 0xd7, 0x7d, 0x14, 0x92, 0xb0, 0xe1, 0xcf,
+	0x27, 0xe8, 0x53, 0xc8, 0x05, 0xd4, 0xe2, 0x54, 0x04, 0x66, 0x51, 0xb9, 0xf4, 0xc6, 0x32, 0x65,
+	0x7d, 0x05, 0x89, 0xeb, 0x02, 0x8e, 0x38, 0x92, 0x6e, 0xa9, 0xb2, 0x16, 0x98, 0x2f, 0xaf, 0xa6,
+	0xeb, 0xca, 0x37, 0xa7, 0x6b, 0x8e, 0x4c, 0x17, 0x19, 0x93, 0x81, 0xb9, 0xa5, 0xc2, 0x29, 0x9c,
+	0xa0, 0x27, 0x00, 0xb6, 0x17, 0x0c, 0x42, 0x90, 0x79, 0x43, 0xf9, 0xf8, 0xde, 0xf5, 0x3e, 0xb6,
+	0x0f, 0xfb, 0xba, 0x0f, 0x29, 0x5d, 0x5e, 0xec, 0x14, 0xe2, 0x29, 0x2e, 0xd8, 0x5e, 0x10, 0x0e,
+	0x51, 0x0b, 0x8c, 0x31, 0x25, 0xae, 0x18, 0x5b, 0x63, 0x6a, 0x9d, 0x98, 0xe5, 0xd5, 0x6d, 0xc9,
+	0x3d, 0x05, 0xd3, 0x1a, 0x92, 0x24, 0xd4, 0x85, 0x82, 0x13, 0x30, 0x57, 0x1d, 0x91, 0x69, 0xaa,
+	0xfa, 0xf6, 0x1c, 0xd6, 0x75, 0x23, 0x0a, 0x9e, 0xb3, 0xd1, 0x6d, 0x28, 0xf8, 0x8e, 0x1d, 0x3c,
+	0x70, 0x26, 0x8e, 0x30, 0xb7, 0x6b, 0xe9, 0xdd, 0x75, 0x3c, 0x17, 0xa0, 0x7b, 0x90, 0x0b, 0x66,
+	0x81, 0x25, 0xdc, 0xc0, 0xac, 0xa8, 0xcd, 0x6d, 0x5c, 0xbf, 0x4c, 0x3f, 0x24, 0x84, 0x85, 0x23,
+	0xa2, 0xcb, 0x8e, 0xc7, 0x22, 0xbe, 0x7e, 0x0b, 0x0c, 0x88, 0x6d, 0x9b, 0xb7, 0xd4, 0x86, 0x97,
+	0xe6, 0xd2, 0xa6, 0x6d, 0xa3, 0xb7, 0xe1, 0x46, 0x02, 0x66, 0x73, 0xe6, 0x9b, 0xb7, 0x15, 0x2e,
+	0xc1, 0x6e, 0x73, 0xe6, 0x57, 0x3e, 0x02, 0x23, 0x51, 0xa0, 0x64, 0xf1, 0x38, 0xa1, 0x33, 0x5d,
+	0xf3, 0xe4, 0x50, 0x1e, 0xec, 0xa9, 0xcc, 0x57, 0x55, 0x94, 0x0b, 0x38, 0x9c, 0x7c, 0xbc, 0xf6,
+	0x61, 0xba, 0xb2, 0x0f, 0x46, 0x22, 0x18, 0xd1, 0x1b, 0xf2, 0xc2, 0x18, 0x39, 0x81, 0xe0, 0xb3,
+	0x01, 0x99, 0x8a, 0xb1, 0xf9, 0x73, 0x45, 0x28, 0x46, 0xc2, 0xe6, 0x54, 0x8c, 0x2b, 0x03, 0x98,
+	0x9f, 0x26, 0xaa, 0x81, 0x21, 0x6b, 0x58, 0x40, 0xf9, 0x29, 0xe5, 0xb2, 0xfd, 0x93, 0x06, 0x26,
+	0x45, 0xb2, 0x4a, 0x05, 0x94, 0x70, 0x6b, 0xac, 0xca, 0x6d, 0x01, 0xeb, 0x99, 0xac, 0x9f, 0x51,
+	0xe2, 0xe8, 0xfa, 0xa9, 0xa7, 0x95, 0x8f, 0xa1, 0x98, 0xdc, 0xb8, 0xff, 0xc4, 0xa1, 0xfa, 0x5f,
+	0xd2, 0x50, 0x88, 0x0f, 0x17, 0xbd, 0x0f, 0x5b, 0xdd, 0xfe, 0xa3, 0x07, 0xcd, 0xa3, 0xee, 0xa3,
+	0xc3, 0x41, 0xbb, 0xf3, 0x59, 0xf3, 0x8b, 0x07, 0x47, 0xe5, 0x54, 0xe5, 0xb5, 0xb3, 0xf3, 0xda,
+	0xf6, 0xfc, 0x1e, 0x89, 0xe0, 0x6d, 0x7a, 0x4c, 0xa6, 0xae, 0x58, 0x64, 0xf5, 0xf0, 0xa3, 0x83,
+	0x4e, 0xbf, 0x5f, 0x4e, 0xaf, 0x62, 0xf5, 0x38, 0xb3, 0x68, 0x10, 0xa0, 0x7d, 0x28, 0xcf, 0x59,
+	0xf7, 0x9e, 0xf4, 0x3a, 0xf8, 0x71, 0x79, 0xad, 0x72, 0xfb, 0xec, 0xbc, 0x66, 0x3e, 0x4d, 0xba,
+	0x37, 0xf3, 0x29, 0x7f, 0xac, 0x9f, 0x80, 0xff, 0x48, 0x43, 0x31, 0xd9, 0x77, 0xa3, 0x83, 0xb0,
+	0xdb, 0x56, 0x1e, 0x6f, 0xee, 0xef, 0x5d, 0xd7, 0xa7, 0xab, 0xbb, 0xdb, 0x9d, 0x4a, 0xbd, 0x0f,
+	0xe5, 0x63, 0x5f, 0x91, 0xd1, 0xfb, 0xb0, 0xe1, 0x33, 0x2e, 0xa2, 0x5b, 0x6e, 0xf9, 0x05, 0xc0,
+	0x78, 0xd4, 0x08, 0x85, 0xe0, 0xfa, 0x18, 0x36, 0x17, 0xb5, 0xa1, 0x3b, 0xb0, 0xfe, 0xb8, 0xdb,
+	0x2b, 0xa7, 0x2a, 0xb7, 0xce, 0xce, 0x6b, 0xaf, 0x2e, 0x7e, 0x7c, 0xec, 0x70, 0x31, 0x25, 0x6e,
+	0xb7, 0x87, 0xde, 0x85, 0x8d, 0xf6, 0x61, 0x1f, 0xe3, 0x72, 0xba, 0xb2, 0x73, 0x76, 0x5e, 0xbb,
+	0xb5, 0x88, 0x93, 0x9f, 0xd8, 0xd4, 0xb3, 0x31, 0x1b, 0xc6, 0x0f, 0xdf, 0x7f, 0xae, 0x81, 0xa1,
+	0x2f, 0xff, 0x17, 0xfd, 0x6f, 0xa4, 0x14, 0x36, 0x92, 0x51, 0xcd, 0x5a, 0xbb, 0xb6, 0x9f, 0x2c,
+	0x86, 0x04, 0x1d, 0xd3, 0xaf, 0x43, 0xd1, 0xf1, 0x4f, 0x3f, 0x18, 0x50, 0x8f, 0x0c, 0x5d, 0xfd,
+	0x06, 0xce, 0x63, 0x43, 0xca, 0x3a, 0xa1, 0x48, 0x5e, 0xe7, 0x8e, 0x27, 0x28, 0xf7, 0xf4, 0xeb,
+	0x36, 0x8f, 0xe3, 0x39, 0xfa, 0x14, 0x32, 0x8e, 0x4f, 0x26, 0xba, 0x09, 0x5e, 0xea, 0x41, 0xb7,
+	0xd7, 0x7c, 0xa8, 0x73, 0xae, 0x95, 0xbf, 0xbc, 0xd8, 0xc9, 0x48, 0x01, 0x56, 0x34, 0x54, 0x8d,
+	0x5e, 0x28, 0x72, 0x25, 0xd5, 0x02, 0xe4, 0x71, 0x42, 0x22, 0xf3, 0xc6, 0xf1, 0x46, 0x9c, 0x06,
+	0x81, 0x6a, 0x06, 0xf2, 0x38, 0x9a, 0xa2, 0x0a, 0xe4, 0x74, 0x37, 0xab, 0x1e, 0x36, 0x05, 0xf9,
+	0x46, 0xd0, 0x82, 0x56, 0x09, 0x8c, 0x70, 0x37, 0x06, 0xc7, 0x9c, 0x4d, 0xea, 0xff, 0xca, 0x80,
+	0x71, 0xe0, 0x4e, 0x03, 0xa1, 0x3b, 0xa5, 0x17, 0xb6, 0xf9, 0x4f, 0x60, 0x8b, 0xa8, 0x7f, 0x2d,
+	0xc4, 0x93, 0x57, 0xab, 0x7a, 0x24, 0xe8, 0x03, 0xb8, 0xb3, 0x54, 0x5d, 0x0c, 0x0e, 0x1f, 0x14,
+	0xad, 0xac, 0xd4, 0x69, 0xa6, 0x71, 0x99, 0x5c, 0xf9, 0x82, 0xfa, 0x50, 0x62, 0xdc, 0x1a, 0xd3,
+	0x40, 0x84, 0x17, 0xb2, 0xfe, 0x37, 0xb1, 0xf4, 0xaf, 0xd5, 0xa3, 0x24, 0x50, 0xdf, 0x43, 0xa1,
+	0xb5, 0x8b, 0x3a, 0xd0, 0x87, 0x90, 0xe1, 0xe4, 0x38, 0x7a, 0xf0, 0x2c, 0x4d, 0x12, 0x4c, 0x8e,
+	0xc5, 0x82, 0x0a, 0xc5, 0x40, 0x9f, 0x03, 0xd8, 0x4e, 0xe0, 0x13, 0x61, 0x8d, 0x29, 0xd7, 0x87,
+	0xbd, 0xd4, 0xc5, 0x76, 0x8c, 0x5a, 0xd0, 0x92, 0x60, 0xa3, 0xfb, 0x50, 0xb0, 0x48, 0x14, 0xae,
+	0xd9, 0xd5, 0x3f, 0x6c, 0x0e, 0x9a, 0x5a, 0x45, 0x59, 0xaa, 0xb8, 0xbc, 0xd8, 0xc9, 0x47, 0x12,
+	0x9c, 0xb7, 0x88, 0x0e, 0xdf, 0xfb, 0x50, 0x12, 0x24, 0x38, 0x19, 0xd8, 0x61, 0x39, 0x0b, 0xc3,
+	0x64, 0xc5, 0xbd, 0x2a, 0xdf, 0xc5, 0xba, 0xec, 0x45, 0xc7, 0x59, 0x14, 0x09, 0x19, 0xfa, 0x05,
+	0x6c, 0x51, 0xcf, 0xe2, 0x33, 0x15, 0xac, 0x91, 0x85, 0xf9, 0xd5, 0xce, 0x76, 0x62, 0xf0, 0x82,
+	0xb3, 0x65, 0x7a, 0x45, 0x5e, 0xff, 0x5b, 0x1a, 0x20, 0x6c, 0x64, 0x5e, 0x6c, 0x00, 0x22, 0xc8,
+	0xd8, 0x44, 0x10, 0x15, 0x73, 0x45, 0xac, 0xc6, 0xe8, 0x63, 0x00, 0x41, 0x27, 0xbe, 0x2c, 0xbd,
+	0xde, 0x48, 0x87, 0xcd, 0xb3, 0xca, 0x41, 0x02, 0x8d, 0xf6, 0x21, 0xab, 0x9f, 0xa5, 0x99, 0x6b,
+	0x79, 0x1a, 0x59, 0xff, 0x63, 0x1a, 0x20, 0x74, 0xf3, 0x7f, 0xda, 0xb7, 0xd6, 0x9d, 0x6f, 0xbe,
+	0xaf, 0xa6, 0xbe, 0xfb, 0xbe, 0x9a, 0xfa, 0xed, 0x65, 0x35, 0xfd, 0xcd, 0x65, 0x35, 0xfd, 0xed,
+	0x65, 0x35, 0xfd, 0xf7, 0xcb, 0x6a, 0xfa, 0xf7, 0x3f, 0x54, 0x53, 0xdf, 0xfe, 0x50, 0x4d, 0x7d,
+	0xf7, 0x43, 0x35, 0x35, 0xcc, 0xaa, 0x56, 0xf8, 0x47, 0xff, 0x0e, 0x00, 0x00, 0xff, 0xff, 0x92,
+	0xc4, 0x34, 0xad, 0xa7, 0x17, 0x00, 0x00,
 }
 
 func (m *NodeSpec) Copy() *NodeSpec {
@@ -1997,9 +2000,14 @@ func (m *ContainerSpec) CopyFrom(src interface{}) {
 		}
 	}
 
-	if o.Capabilities != nil {
-		m.Capabilities = make([]string, len(o.Capabilities))
-		copy(m.Capabilities, o.Capabilities)
+	if o.CapabilityAdd != nil {
+		m.CapabilityAdd = make([]string, len(o.CapabilityAdd))
+		copy(m.CapabilityAdd, o.CapabilityAdd)
+	}
+
+	if o.CapabilityDrop != nil {
+		m.CapabilityDrop = make([]string, len(o.CapabilityDrop))
+		copy(m.CapabilityDrop, o.CapabilityDrop)
 	}
 
 }
@@ -2983,8 +2991,8 @@ func (m *ContainerSpec) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], v)
 		}
 	}
-	if len(m.Capabilities) > 0 {
-		for _, s := range m.Capabilities {
+	if len(m.CapabilityAdd) > 0 {
+		for _, s := range m.CapabilityAdd {
 			dAtA[i] = 0xda
 			i++
 			dAtA[i] = 0x1
@@ -3000,6 +3008,23 @@ func (m *ContainerSpec) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], s)
 		}
 	}
+	if len(m.CapabilityDrop) > 0 {
+		for _, s := range m.CapabilityDrop {
+			dAtA[i] = 0xe2
+			i++
+			dAtA[i] = 0x1
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
 	return i, nil
 }
 
@@ -3814,8 +3839,14 @@ func (m *ContainerSpec) Size() (n int) {
 			n += mapEntrySize + 2 + sovSpecs(uint64(mapEntrySize))
 		}
 	}
-	if len(m.Capabilities) > 0 {
-		for _, s := range m.Capabilities {
+	if len(m.CapabilityAdd) > 0 {
+		for _, s := range m.CapabilityAdd {
+			l = len(s)
+			n += 2 + l + sovSpecs(uint64(l))
+		}
+	}
+	if len(m.CapabilityDrop) > 0 {
+		for _, s := range m.CapabilityDrop {
 			l = len(s)
 			n += 2 + l + sovSpecs(uint64(l))
 		}
@@ -4243,7 +4274,8 @@ func (this *ContainerSpec) String() string {
 		`Isolation:` + fmt.Sprintf("%v", this.Isolation) + `,`,
 		`PidsLimit:` + fmt.Sprintf("%v", this.PidsLimit) + `,`,
 		`Sysctls:` + mapStringForSysctls + `,`,
-		`Capabilities:` + fmt.Sprintf("%v", this.Capabilities) + `,`,
+		`CapabilityAdd:` + fmt.Sprintf("%v", this.CapabilityAdd) + `,`,
+		`CapabilityDrop:` + fmt.Sprintf("%v", this.CapabilityDrop) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -6891,7 +6923,39 @@ func (m *ContainerSpec) Unmarshal(dAtA []byte) error {
 			iNdEx = postIndex
 		case 27:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Capabilities", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field CapabilityAdd", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowSpecs
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthSpecs
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthSpecs
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.CapabilityAdd = append(m.CapabilityAdd, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 28:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CapabilityDrop", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -6919,7 +6983,7 @@ func (m *ContainerSpec) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Capabilities = append(m.Capabilities, string(dAtA[iNdEx:postIndex]))
+			m.CapabilityDrop = append(m.CapabilityDrop, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex

vendor/github.com/docker/swarmkit/api/specs.proto

@@ -356,8 +356,10 @@ message ContainerSpec {
 	// https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime
 	map<string, string> sysctls = 26;
 
-	// Capabilities is the list of Linux capabilities to be available for container (this overrides the default set of capabilities)
-	repeated string capabilities = 27;
+	// CapabilityAdd sets the list of capabilities to add to the default capability list
+	repeated string capability_add = 27;
+	// CapabilityAdd sets the list of capabilities to drop from the default capability list
+	repeated string capability_drop = 28;
 }
 
 // EndpointSpec defines the properties that can be configured to