oci/caps: limit available capabilities to current environment #42933
Conversation
thaJeztah
added
status/2-code-review
kind/enhancement
thaJeztah
force-pushed
the
limit_caps_to_environment
branch
2 times, most recently
from
f2f8d5d to
35a934f
Compare
oci/caps/cap_linux.go
Outdated
| } | ||
|
|
||
| // current returns a map of the effective known caps of the current process. | ||
| func current() (map[string]capability.Cap, error) { |
There was a problem hiding this comment.
thaJeztah
force-pushed
the
limit_caps_to_environment
branch
3 times, most recently
from
e1c7b2a to
15d9973
Compare
|
Looks like this doesn't solve one of the new test failures; |
thaJeztah
force-pushed
the
limit_caps_to_environment
branch
from
15d9973 to
7f508ef
Compare
I guess that one is unrelated to caps? |
Yes, it looks unrelated to that. That test was already "flaky" #41930, but started failing 100% (?) at the same time as the capabilities issue occurred, which was when Jenkins agents were updated to kernel 5.11 (#42892), so I was hoping it would be related (and fixed by this PR), but more digging is needed for that one (perhaps it's just a race condition somehow) |
|
Other than that, I updated this to use the containerd package and drop the go capabilities dependency as you suggested, so PTAL There's still some code in the moby repository to do the capability "tweaking", and for the error handling etc, but tried to keep it close to what we had. |
In situations where docker runs in an environment where capabilities are limited, sucn as docker-in-docker in a container created by older versions of docker, or in a container where some capabilities have been disabled, starting a privileged container may fail, because even though the _kernel_ supports a capability, the capability is not available. This patch attempts to address this problem by limiting the list of "known" capa- bilities on the set of effective capabilties for the current process. This code is based on the code in containerd's "caps" package. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
limit_caps_to_environment
branch
from
7f508ef to
485cf38
Compare
|
@tonistiigi PTAL |
|
Only remaining failure is I'm bringing this one in; CI was just retriggered because I edited the top comment 😞, but it was "green" otherwise before |
fixes #42906 docker container is privileged tries to assume more capabilities than available
replaces / closes #42911 fix: don't attempt to set unavailable capabilities in privileged mode
fixes #42892 Recent test failures in CI (apply caps: operation not permitted) - except for
TestHealthKillContainer, which is tracked in #41930)Relates to:
In situations where docker runs in an environment where capabilities are limited,
sucn as docker-in-docker in a container created by older versions of docker, or
in a container where some capabilities have been disabled, starting a privileged
container may fail, because even though the kernel supports a capability, the
capability is not available.
This patch attempts to address this problem by limiting the list of "known" capa-
bilities on the set of effective capabilties for the current process. This code
is based on the code in containerd's "caps" package
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)