New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix privilege acquisition to work better with docker #4538

Merged
merged 1 commit into from Nov 5, 2018

Conversation

2 participants
@shinrich
Member

shinrich commented Nov 2, 2018

This problem was noted by people trying to make Traffic Server work in docker without complete privileges. The current code tries to grab all privileges at once. If any privilege fails, no privilege is granted. In the standard --privileged case only the CAP_NET_BIND_SERVICE is granted (of the privileges we care about), and for a basic reverse proxy that is the only capability needed, but the Traffic Server code would try to get all three of CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_IPC_LOCK and fail. So the Traffic Server process running in the docker container could not listen on low ports.

This code change attempts to get the capabilities one at a time so that capabilities that can be granted will be granted.

@shinrich shinrich added this to the 9.0.0 milestone Nov 2, 2018

@shinrich shinrich self-assigned this Nov 2, 2018

@shukitchan

This comment has been minimized.

Contributor

shukitchan commented Nov 2, 2018

[approve ci]

@shukitchan

It has been working fine for us after these changes

@shinrich shinrich merged commit 3d7e280 into apache:master Nov 5, 2018

9 checks passed

Jenkins CentOS Build finished.
Details
Jenkins Clang-Analyzer Build finished.
Details
Jenkins Debian Build finished.
Details
Jenkins FreeBSD Build finished.
Details
Jenkins ICC Build finished.
Details
Jenkins RAT Build finished.
Details
Jenkins Ubuntu Build finished.
Details
Jenkins autest Build finished.
Details
Jenkins clang-format Build finished.
Details

@bryancall bryancall added this to 8.0.2 in 8.x releases Nov 19, 2018

@zwoop zwoop moved this from 8.0.2 to 8.1.0 backports in 8.x releases Dec 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment