VFS storage driver drops all file capabilities when creating a container #42655
Description
Description
Rootless Docker daemon drops assigned file capabilities when moving over to the next Dockerfile command during image building. File capability is assigned successfully and lasts until the shell responsible for RUN step handling exits. This phenomena occurs when VFS storage driver is used. fuse-overlayfs and btrfs drivers work OK. I did not test other drivers.
File capability drop happens also when a container is created from an image which contain files with capabilities. Capabilities exists on files in the image (confirmed by inspecting the layers with tar -tvvf - --xattrs-include='security.capability') but they are all gone once container is created.
Steps to reproduce the issue:
1.
$ cat Dockerfile
FROM library/alpine:latest
RUN apk add libcap
RUN setcap cap_net_admin,cap_net_raw=ep /sbin/apk && getcap -v /sbin/apk && setcap -v cap_net_admin,cap_net_raw=ep /sbin/apk
RUN setcap -v cap_net_admin,cap_net_raw=ep /sbin/apk
$ DOCKER_HOST=tcp://127.0.0.1:2375 docker build -t test .
Sending build context to Docker daemon 6.656kB
Step 1/4 : FROM library/alpine:latest
latest: Pulling from library/alpine
Digest: sha256:234cb88d3020898631af0ccbbcca9a66ae7306ecd30c9720690858c1b007d2a0
Status: Downloaded newer image for alpine:latest
---> d4ff818577bc
Step 2/4 : RUN apk add libcap
---> Using cache
---> 15c1ee283595
Step 3/4 : RUN setcap cap_net_admin,cap_net_raw=ep /sbin/apk && getcap -v /sbin/apk && setcap -v cap_net_admin,cap_net_raw=ep /sbin/apk
---> Using cache
---> ff5ff263c87f
Step 4/4 : RUN setcap -v cap_net_admin,cap_net_raw=ep /sbin/apk
---> Running in 50b2a69b6267
/sbin/apk differs in [pe]
The command '/bin/sh -c setcap -v cap_net_admin,cap_net_raw=ep /sbin/apk' returned a non-zero code: 1
Describe the results you received:
File capability is assigned and in effect in Step 3. It is somehow lost in Step 4.
Describe the results you expected:
File capability stick for the container lifetime.
Additional information you deem important (e.g. issue happens only occasionally):
100% reproducible when VFS storage driver is used.
Output of docker version:
Client:
Version: 20.10.5+dfsg1
API version: 1.41
Go version: go1.15.9
Git commit: 55c4c88
Built: Sun Jun 6 21:48:06 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.7
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: b0f5bc3
Built: Wed Jun 2 11:55:29 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.4.6
GitCommit: d71fcd7d8303cbf684402823e425e9dd2e99285d
runc:
Version: 1.0.0-rc95
GitCommit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Output of docker info:
Client: [35/13770]
Context: default
Debug Mode: false
Server:
Containers: 4
Running: 0
Paused: 0
Stopped: 4
Images: 3
Server Version: 20.10.7
Storage Driver: vfs
Logging Driver: json-file
Cgroup Driver: none
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d71fcd7d8303cbf684402823e425e9dd2e99285d
runc version: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
init version: de40ad0
Security Options:
seccomp
Profile: default
rootless
Kernel Version: 5.10.0-7-cloud-amd64
Operating System: Alpine Linux v3.13 (containerized)
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 27.42GiB
Name: 85e17a587d11
ID: AOIJ:77TU:DZNO:Z6TT:ITHP:LN5L:K7SI:PRGL:BTYT:JM5S:274C:YVNZ
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: szubersk
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
Access to the remote API is equivalent to root access on the host. Refer
to the 'Docker daemon attack surface' section in the documentation for
more information: https://docs.docker.com/go/attack-surface/
WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
Additional environment details (AWS, VirtualBox, physical, etc.):
rootless Docker daemon inside "rootful" Docker container using VFS file backend