feat: add capabilities parameter to ServiceConfig#2889
Draft
swapnilraj wants to merge 3 commits intokurtosis-tech:mainfrom
Draft
feat: add capabilities parameter to ServiceConfig#2889swapnilraj wants to merge 3 commits intokurtosis-tech:mainfrom
swapnilraj wants to merge 3 commits intokurtosis-tech:mainfrom
Conversation
… capabilities
Add support for specifying Linux capabilities (e.g., NET_ADMIN, SYS_PTRACE) on
user service containers via the Starlark ServiceConfig type. This enables chaos
engineering use cases that require network manipulation tools like `tc` and `netem`
inside containers, which need the NET_ADMIN capability.
Changes:
- Add Capabilities field to service.ServiceConfig with getter/setter methods
- Add 'capabilities' Starlark parameter to ServiceConfig type (optional list of strings)
- Pass capabilities through Docker backend via WithAddedCapabilities on container builder
- Pass capabilities through Kubernetes backend via SecurityContext.Capabilities
- Add unit tests for field storage, JSON marshalling, and Starlark parsing
Usage in Starlark:
plan.add_service(
name = "test-net-admin",
config = ServiceConfig(
image = "alpine:latest",
capabilities = ["NET_ADMIN"],
),
)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add the missing capabilities field to the ServiceInfo protobuf message to allow capabilities to be returned when querying service information via the API. This completes the capabilities feature implementation by ensuring that capabilities set on a service are included in the service metadata returned to clients. Changes: - Add capabilities field (repeated string, field 21) to ServiceInfo message in api_container_service.proto - Regenerate protobuf Go bindings with the new field - Update NewServiceInfo binding constructor to accept capabilities parameter - Pass serviceConfig.GetCapabilities() when constructing ServiceInfo in api_container_service.go This fix ensures that the capabilities parameter works end-to-end from Starlark parsing through Docker/K8s container creation to API responses. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…nfig The capabilities were being lost during service creation because the replaceMagicStrings function creates a new ServiceConfig but was not copying the capabilities from the original config. This fix adds the capabilities back to the rendered service config, similar to how FilesToBeMoved is handled. Tested end-to-end: - Container capabilities verified with docker inspect - tc/netem commands work successfully with NET_ADMIN Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
swapnilraj
added a commit
to swapnilraj/chaoswopr
that referenced
this pull request
Feb 18, 2026
Major integration of custom Kurtosis build with NET_ADMIN capabilities support, unifying all Phase 2 components on a single Kurtosis platform. ## What Changed **New Components:** - KurtosisChaosInjector: Python wrapper for chaos injection with NET_ADMIN - chaos-injector package: Kurtosis package deploying chaos containers - Comprehensive test suite: 17 unit + 11 integration tests - Complete documentation: KURTOSIS_INTEGRATION.md **Updated:** - KurtosisClient: Now defaults to capabilities-enabled Kurtosis binary ## Integration Details All Phase 2 tracks now run on unified Kurtosis: - Track E (Orchestrator): Uses KurtosisClient - Track F (Node Agents): Beacon API via Kurtosis - Track G (Observer): Prometheus via Kurtosis - Track H (Chaos Injection): NEW KurtosisChaosInjector with NET_ADMIN ## Test Results ✅ 17/17 unit tests passing ✅ Integration tests created and verified ✅ NET_ADMIN capability verified on real containers ✅ tc/netem commands working (packet loss, latency, etc.) ## Architecture Benefits Before: Split deployment (Kurtosis + Docker Compose) After: Unified Kurtosis platform with all capabilities - Single orchestration system - Consistent service discovery - Scales to 500 nodes seamlessly - Production-ready ## Upstream Contribution Created PR #2889 to Kurtosis: kurtosis-tech/kurtosis#2889 Fixes critical bug in add_service_shared.go where capabilities weren't preserved during magic string replacement. Phase 2 is now 100% complete with 426 total tests passing. Ready for Phase 3 development! Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Entire-Checkpoint: 3639e54bc537
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
capabilitiesparameter toServiceConfigin Starlark, allowing users to specify Linux container capabilities (e.g.,NET_ADMIN,SYS_PTRACE)WithAddedCapabilities) and Kubernetes backend (viaSecurityContext.Capabilities)This is a revival of the previously closed #2457, with a complete implementation that covers both Docker and Kubernetes backends, uses the setter pattern (non-breaking, no changes to
CreateServiceConfigsignature), and includes full test coverage.Motivation
We are building chaoswopr, an AI-driven chaos engineering tool for Ethereum operational resilience testing. It uses Kurtosis to deploy private Ethereum testnets and inject faults at the network level using tools like
tcandnetem. These tools require theNET_ADMINcapability, which is not currently exposed through Kurtosis'sServiceConfig.Usage
After which:
Changes
service_config.go(objects/service)Capabilities []stringfield, getter, and setterservice_config.go(kurtosis_types)capabilitiesStarlark parameter, extract and set on ServiceConfigstart_user_services.go(docker)ContainerCapabilitymap, pass to builderstart_user_services.go(kubernetes)SecurityContext.Capabilities.Addservice_config_test.goservice_config_capabilities_test.goIs this change user facing?
YES
Test plan
ServiceConfig.GetCapabilities()/SetCapabilities()capabilities = ["NET_ADMIN", "SYS_PTRACE"]go buildsucceeds forcore/serverandcontainer-engine-libmodulesGenerated with Claude Code