Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE by thaJeztah · Pull Request #41563 · moby/moby

thaJeztah · 2020-10-16T14:44:42Z

This prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
capabilities on --privileged (or CAP_ALL) containers on Kernel 5.8 and up.

While these kernels support these capabilities, the current release of runc ships with an older version of gocapability/capability, and does not know about them, causing an error to be produced.

We can remove this restriction once opencontainers/runc@6dfbe9b is included in a runc release and once we stop supporting containerd 1.3.x (which ships with runc v1.0.0-rc92).

Thanks to @aiordache for reporting.

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

thaJeztah · 2020-10-16T14:45:26Z

@AkihiroSuda @cpuguy83 @tiborvass PTAL

thaJeztah · 2020-10-16T15:02:02Z

FWIW, our CI didn't catch this problem because the current ubuntu LTS version are on kernel < 5.8, therefore docker doesn't set these capabilities when using --privileged (or --cap-add ALL).

I wonder if a long-term solution would be to;

define what capabilities are allowed to be set in the runtime-spec
introduce a special ALL capability in the runtime spec, which would make the runtime responsible for giving the container "all" capabilities. That way runtimes will remain compatible

thaJeztah · 2020-10-16T15:23:24Z

CI will likely fail until #41560 is merged

This prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up. While these kernels support these capabilities, the current release of runc ships with an older version of /gocapability/capability, and does not know about them, causing an error to be produced. We can remove this restriction once opencontainers/runc@6dfbe9b is included in a runc release and once we stop supporting containerd 1.3.x (which ships with runc v1.0.0-rc92). Thanks to Anca Iordache for reporting. Signed-off-by: Sebastiaan van Stijn <[email protected]>

thaJeztah · 2020-10-16T15:53:11Z

Rebased to get the fix from #41560 in

cpuguy83 · 2020-10-16T20:04:27Z

This is unfortunate.

thaJeztah · 2020-10-16T20:54:15Z

Yes, it is; not sure what a better solution is for now (besides hoping on a new runc release soon, and that to be included in containerd 1.3.x)

What do you think of my idea for an ALL capability to be added to the runtime spec to delegate it to runc / the runtime? I can write up a short proposal for that.

thaJeztah · 2020-10-20T11:03:56Z

opened docker/docker-ce-packaging#506, so that for v20.10, we only have to consider containerd v1.4.x to be updated to a newer runc version

thaJeztah added area/runtime Runtime status/2-code-review kind/bugfix PR's that fix bugs labels Oct 16, 2020

thaJeztah added this to the 20.10.0 milestone Oct 16, 2020

thaJeztah mentioned this pull request Oct 16, 2020

[20.10 beta] Unknown capability "CAP_PERFMON" on Linux 5.8.14 #41562

Closed

AkihiroSuda approved these changes Oct 16, 2020

View reviewed changes

thaJeztah force-pushed the hold_that_cap branch from 548d60d to a38b96b Compare October 16, 2020 15:52

tiborvass approved these changes Oct 19, 2020

View reviewed changes

tiborvass merged commit 33be8d4 into moby:master Oct 19, 2020

thaJeztah deleted the hold_that_cap branch October 19, 2020 16:47

thaJeztah mentioned this pull request Oct 20, 2020

[master] Update minimum containerd.io version to v1.4.1 docker/docker-ce-packaging#506

Merged

thaJeztah mentioned this pull request Oct 20, 2020

Proposal: define a "ALL_CAPS" pseudo-capability to grant all capabilities opencontainers/runtime-spec#1071

Open

arlyon mentioned this pull request Nov 3, 2020

Please Provide a Repo for Fedora 33 docker/for-linux#1114

Closed

2 tasks

harche mentioned this pull request Jan 11, 2021

Kubernetes NodeConformance and NodeFeatures jobs failing with latest CRIO cri-o/cri-o#4466

Closed

thaJeztah mentioned this pull request Jan 11, 2021

vendor: update syndtr/gocapability containerd/containerd#4919

Closed

BenTheElder mentioned this pull request Feb 6, 2021

[master] kube-proxy doesn't start up due to "apply caps: operation not permitted" error kubernetes-sigs/kind#2058

Closed

This was referenced Feb 6, 2021

Bump runc binary v1.0.0-rc93 #41994

Merged

Revert "Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE #42011

Merged

thaJeztah mentioned this pull request Mar 9, 2021

runtime should WARN / ignore capabilities that cannot be granted opencontainers/runtime-spec#1094

Merged

thaJeztah mentioned this pull request Jul 7, 2021

Unable to create containers with CAP_PERFMON/CAP_BPF/CAP_CHECKPOINT_RESTORE #42601

Closed

thaJeztah mentioned this pull request Jul 4, 2022

engine: remove CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE from relnotes docker/docs#15050

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE#41563

Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE#41563
tiborvass merged 1 commit intomoby:masterfrom
thaJeztah:hold_that_cap

thaJeztah commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 16, 2020

Uh oh!

cpuguy83 commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 20, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

thaJeztah commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 16, 2020

Uh oh!

cpuguy83 commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 16, 2020

Uh oh!

thaJeztah commented Oct 20, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants