Skip to content

fix: don't attempt to set unavailable capabilities in privileged mode#42911

Closed
smira wants to merge 1 commit intomoby:masterfrom
smira:fix-privileged
Closed

fix: don't attempt to set unavailable capabilities in privileged mode#42911
smira wants to merge 1 commit intomoby:masterfrom
smira:fix-privileged

Conversation

@smira
Copy link
Copy Markdown

@smira smira commented Oct 5, 2021

fixes #42906

Signed-off-by: Andrey Smirnov [email protected]

- What I did

Filtering capabilities via the dockerd process capabilities.

- How I did it

- How to verify it

There should be no changes if dockerd runs with full caps.

But if the dockerd capabilities are reduced, docker run --privileged <anything> fails with apply caps: not permitted.

- Description for the changelog

Set only available capabilities when container runs in --privileged mode.

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah thaJeztah mentioned this pull request Oct 8, 2021
Open
@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Oct 8, 2021

FWIW, I also opened a PR for consideration in runc (opencontainers/runc#3240), to make it match the runtime spec (opencontainers/runc#2854)

@smira
Copy link
Copy Markdown
Author

smira commented Oct 8, 2021

@theJeztah this looks like much better solution, thanks!

@smira smira marked this pull request as draft October 8, 2021 12:39
@smira
Copy link
Copy Markdown
Author

smira commented Oct 8, 2021

I marked this PR as draft, as it works for dockerd on Linux, but breaks in many other places (it works for us as a workaround for now).

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Oct 8, 2021

@theJeztah this looks like much better solution, thanks!

Thanks! I was also considering situations where dockerd / containerd environment !== container environment. Perhaps that's a bit of a corner case, but I know there's work in progress for LCOW (Linux Containers On Windows) in containerd, where runc itself runs inside a VM, and containerd outside of the VM; for that reason, keeping this logic as close to where the container runs as possible could have benefits.

thaJeztah
thaJeztah reviewed Oct 8, 2021
View reviewed changes
Comment thread oci/caps/utils.go
capabilityList[capName] = &c
cc := capability.Cap(i)

capabilityList[c] = &cc
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah Oct 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be using capName as key?

@thaJeztah thaJeztah mentioned this pull request Oct 13, 2021
Merged
@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Oct 14, 2021

Pending the discussion on the runc repository, I opened #42933, which ~ does the same as this PR (with some changes)

@smira
Copy link
Copy Markdown
Author

smira commented Oct 15, 2021

thanks @thaJeztah it looks much better than my draft, so I'm going to close it.

@smira smira closed this Oct 15, 2021
budimanjojo added a commit to budimanjojo/home-cluster that referenced this pull request Jan 13, 2023
@budimanjojo
feat(apps): temporary fix
b47203b 
ref: moby/moby#42911
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah left review comments

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docker container is privileged tries to assume more capabilities than available

3 participants

@smira @thaJeztah @AkihiroSuda