New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix privilege acquisition to work better with docker #4538

merged 1 commit into from Nov 5, 2018


2 participants

shinrich commented Nov 2, 2018

This problem was noted by people trying to make Traffic Server work in docker without complete privileges. The current code tries to grab all privileges at once. If any privilege fails, no privilege is granted. In the standard --privileged case only the CAP_NET_BIND_SERVICE is granted (of the privileges we care about), and for a basic reverse proxy that is the only capability needed, but the Traffic Server code would try to get all three of CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_IPC_LOCK and fail. So the Traffic Server process running in the docker container could not listen on low ports.

This code change attempts to get the capabilities one at a time so that capabilities that can be granted will be granted.

@shinrich shinrich added this to the 9.0.0 milestone Nov 2, 2018

@shinrich shinrich self-assigned this Nov 2, 2018


This comment has been minimized.


shukitchan commented Nov 2, 2018

[approve ci]


It has been working fine for us after these changes

@shinrich shinrich merged commit 3d7e280 into apache:master Nov 5, 2018

9 checks passed

Jenkins CentOS Build finished.
Jenkins Clang-Analyzer Build finished.
Jenkins Debian Build finished.
Jenkins FreeBSD Build finished.
Jenkins ICC Build finished.
Jenkins RAT Build finished.
Jenkins Ubuntu Build finished.
Jenkins autest Build finished.
Jenkins clang-format Build finished.

@bryancall bryancall added this to 8.0.2 in 8.x releases Nov 19, 2018

@zwoop zwoop moved this from 8.0.2 to 8.1.0 backports in 8.x releases Dec 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment