-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
containerd stripping filesystem capabilities #2942
Comments
Can you check the discussion in issue #2863 for any difference? |
Hmm... yeah. that does look like it may be the issue. I pulled centos:centos7 and ran it and the capability isn't there. ping works as root, switching to daemon and ping fails. I checked the changelog and that patch hit after the 1.2.2 release happened so looks to be fixed in trunk. How far out is 1.2.3? |
Is there any plans to do a 1.2.3 with the fix in it soon, or should I be looking at building from source? |
#2974 is being used to prepare the 1.2.3 release for this week; a final bug is getting fixed and integrated and then the release should be ready to go. |
Thanks for the heads up. |
Hi @kfox1111 , since containerd has released 1.2.4 which contains the fix, is it ok to close? thanks |
I had previously upgraded to 1.2.4 but hadn't tried unprivileged pings until now. It does not seem to be working: On the host, getting the version verifies it is the right version: So, something is still wrong. Any ideas? |
A thought occurs... The images are still probably cached on the node. Does the fix only apply to newer downloaded/extracted layers? |
Hi @kfox1111 , could you mind to remove the image and repull it again?if
the image was pulled before, the containerd would not add the cap back.
kfox1111 <notifications@github.com>于2019年3月2日 周六01:10写道:
… I had previously upgraded to 1.2.4 but hadn't tried unprivileged pings
until now. It does not seem to be working:
bash-4.2$ getcap /bin/ping
bash-4.2$
bash-4.2$ ping google.com
ping: socket: Operation not permitted
On the host, getting the version verifies it is the right version:
containerd github.com/containerd/containerd v1.2.4 e6b3f56
<e6b3f56>
So, something is still wrong. Any ideas?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2942 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AQsyLZQTJ2yUi4rxkBVOQnXmv7GURr0Dks5vSV8dgaJpZM4aNbTh>
.
|
Yeah. I'll test that. |
Confirmed. Draining the node, removing all the images, then letting workload back on fixes the issue. Thanks! |
thanks! @kfox1111 |
The `nginx-ingress-controller` container relies on filesystem extended attributes to allow permissions to the `nginx` binary and temporary storage ACLs. There's a bug in `containerd` 1.2.1 which causes such xattrs not to be properly unpacked from container image layers. To work-around this, we need a newer version, which is not packaged for CentOS/EPEL. However, since `containerd` is a pure Golang static binary, we can use a package from Fedora. See: kubernetes/ingress-nginx#4061 (comment) See: containerd/containerd#2942
BUG REPORT INFORMATION
Description
We created an image using docker build, that contains a "USER daemon" line setting the default user.
This container functions properly in docker 1.13.
Under containerd xxxx running it:
it has its capabilities stripped off somehow. Doing the same under docker shows:
Output of
containerd --version
:capabilities running as the user on both show the same, correct result:
The text was updated successfully, but these errors were encountered: