Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Userspace Convertor] /usr/bin/ping security capability inconsistency #251

Closed
1 task done
yuchen0cc opened this issue Dec 15, 2023 · 2 comments · Fixed by containerd/overlaybd#302
Closed
1 task done

[Userspace Convertor] /usr/bin/ping security capability inconsistency #251

yuchen0cc opened this issue Dec 15, 2023 · 2 comments · Fixed by containerd/overlaybd#302
Labels
bug Something isn't working

Comments

@yuchen0cc
Copy link
Contributor

What happened in your environment?

The converted image runs the getcap output is different for /usr/bin/ping than in the non-converted image.
This causes ping to run into a permission denied issue when the container starts.

Non converted image:

getcap /usr/bin/ping
/usr/bin/ping cap_net_admin,cap_net_raw=p

Converted image:

getcap /usr/bin/ping
# no output

What did you expect to happen?

No response

How can we reproduce it?

Convert a centos image by userspace convertor.

What is the version of your Accelerated Container Image?

accelerated-container-image: v1.0.2
overlaybd: v1.0.7

What is your OS environment?

Centos 8

Are you willing to submit PRs to fix it?

  • Yes, I am willing to fix it.
@yuchen0cc yuchen0cc added the bug Something isn't working label Dec 15, 2023
@yuchen0cc yuchen0cc mentioned this issue Dec 15, 2023
Merged
4 tasks
@yuchen0cc
Copy link
Contributor Author

Linux supports associating capability sets with an executable file. The file capability sets are stored in an extended attribute named security.capability.
For images, security.capability is stored by pax format with prefix SCHILY.xattr. in a tarball.
Userspace convertor omits these extend attributes.

@yuchen0cc yuchen0cc reopened this Dec 15, 2023
@yuchen0cc yuchen0cc mentioned this issue Dec 15, 2023
Closed
1 task
@yuchen0cc
Copy link
Contributor Author

same issue containerd/overlaybd#301

@yuchen0cc yuchen0cc mentioned this issue Jan 4, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

untar: support pax xattr header yuchen0cc/overlaybd
1 participant
@yuchen0cc