oci.WithPrivileged: set the current caps, not the known caps#5017
Merged
estesp merged 2 commits intocontainerd:masterfrom Feb 23, 2021
Merged
oci.WithPrivileged: set the current caps, not the known caps#5017estesp merged 2 commits intocontainerd:masterfrom
estesp merged 2 commits intocontainerd:masterfrom
Conversation
AkihiroSuda
force-pushed
the
parse-cap
branch
from
061a0d1 to
3440a09
Compare
thaJeztah
requested changes
Feb 6, 2021
AkihiroSuda
force-pushed
the
parse-cap
branch
2 times, most recently
from
e6862c7 to
aa31742
Compare
AkihiroSuda
force-pushed
the
parse-cap
branch
2 times, most recently
from
5bc576c to
98a0349
Compare
AkihiroSuda
force-pushed
the
parse-cap
branch
6 times, most recently
from
312abe7 to
ec4e375
Compare
AkihiroSuda
changed the title
AkihiroSuda
force-pushed
the
parse-cap
branch
from
ec4e375 to
a586e24
Compare
|
Build succeeded.
|
fuweid
reviewed
Feb 8, 2021
Contributor
|
@fuweid other than the nits above is this approach acceptable? kubernetes-sigs/kind#2058 we are trying to figure out if we should implement some workaround specific to our project (a runc shim?) or if we can depend on shipping a broad solution here. also thank you @AkihiroSuda ! |
Member
|
@BenTheElder the approach looks good to me right now:) And I am still wondering whether it is impacted on systemd service case or not. Will update it later |
This change is needed for running the latest containerd inside Docker that is not aware of the recently added caps (BPF, PERFMON, CHECKPOINT_RESTORE). Without this change, containerd inside Docker fails to run containers with "apply caps: operation not permitted" error. See kubernetes-sigs/kind 2058 NOTE: The caller process of this function is now assumed to be as privileged as possible. Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
force-pushed
the
parse-cap
branch
from
a586e24 to
a2d1a8a
Compare
No substantial code change Signed-off-by: Akihiro Suda <[email protected]>
Member
|
I was hoping that a null cap list in the oci spec would allow inheriting caps, but nope 😢 |
Contributor
|
gentle ping @dims @dmcgowan (I hope this is OK! in Kubernetes it would be, but I'm not sure here) EDIT: Closely watching this PR as KIND will either have to rollback (and be in an awkward state without #5020), get this patch, or do something hacky to emulate this outside of containerd. |
dweomer
added a commit
to dweomer/cri
that referenced
this pull request
May 20, 2021
This is a CRI-specific backport of the changes in containerd/containerd#5017 Signed-off-by: Jacob Blain Christen <[email protected]>
dweomer
added a commit
to k3s-io/cri
that referenced
this pull request
May 20, 2021
This is a CRI-specific backport of the changes in containerd/containerd#5017 Signed-off-by: Jacob Blain Christen <[email protected]>
dweomer
added a commit
to dweomer/containerd
that referenced
this pull request
May 20, 2021
Backport of containerd#5017 Signed-off-by: Jacob Blain Christen <[email protected]>
dweomer
added a commit
to k3s-io/containerd
that referenced
this pull request
May 20, 2021
Backport of containerd#5017 Signed-off-by: Jacob Blain Christen <[email protected]>
dweomer
added a commit
to dweomer/k3s
that referenced
this pull request
May 20, 2021
Pull in backport of containerd/containerd#5017 Addresses k3s-io#3296 Signed-off-by: Jacob Blain Christen <[email protected]>
dweomer
added a commit
to dweomer/k3s
that referenced
this pull request
May 20, 2021
Pull in backport of containerd/containerd#5017 Addresses k3s-io#3296 Signed-off-by: Jacob Blain Christen <[email protected]>
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Jul 19, 2021
Backport of containerd#5017 Signed-off-by: Jacob Blain Christen <[email protected]>
brandond
pushed a commit
to brandond/cri
that referenced
this pull request
Jul 20, 2021
This is a CRI-specific backport of the changes in containerd/containerd#5017 Signed-off-by: Jacob Blain Christen <[email protected]>
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Jul 20, 2021
Backport of containerd#5017 Signed-off-by: Jacob Blain Christen <[email protected]>
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Aug 13, 2021
Backport of containerd#5017 Signed-off-by: Jacob Blain Christen <[email protected]>
brandond
pushed a commit
to k3s-io/containerd
that referenced
this pull request
Oct 4, 2021
Backport of containerd#5017 Signed-off-by: Jacob Blain Christen <[email protected]>
brandond
pushed a commit
to brandond/containerd
that referenced
this pull request
Nov 18, 2021
Backport of containerd#5017 Signed-off-by: Jacob Blain Christen <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change is needed for running the latest containerd inside Docker that is not aware of the recently added caps (BPF, PERFMON, CHECKPOINT_RESTORE).
Without this change, containerd inside Docker fails to run containers with "apply caps: operation not permitted" error.
See kubernetes-sigs/kind#2058
NOTE: The caller process of this function is now assumed to be as privileged as possible.