Invalid CapAdd perfmon capability

[gnuille]

Description

Altough the perfmon capability is available on my system:

> capsh --print | grep cap_perfmon | wc -l
   1

When I try to add the capability trough :

> docker run --cap-add CAP_PERFMON -P -it alpine:latest /bin.bash

The command errors:

docker: Error response from daemon: invalid CapAdd: unknown capability: "CAP_PERFMON".
See 'docker run --help'.

Reproduce

docker run --cap-add CAP_PERFMON -P -it alpine:latest /bin/bash

Expected behavior

Should prompt a shell in a container with PERFMON capabilities enabled.

docker version

Client: Docker Engine - Community
 Version:           20.10.22
 API version:       1.41
 Go version:        go1.18.9
 Git commit:        3a2c30b
 Built:             Thu Dec 15 22:28:04 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.22
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.9
  Git commit:       42c8b31
  Built:            Thu Dec 15 22:25:49 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.15
  GitCommit:        5b842e528e99d4d4c1686467debf2bd4b88ecd86
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.9.1-docker)
  compose: Docker Compose (Docker Inc., v2.14.1)
  scan: Docker Scan (Docker Inc., v0.23.0)

Server:
 Containers: 58
  Running: 0
  Paused: 0
  Stopped: 58
 Images: 157
 Server Version: 20.10.22
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 5b842e528e99d4d4c1686467debf2bd4b88ecd86
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.15.0-57-generic
 Operating System: Ubuntu 22.04.1 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 12
 Total Memory: 31.19GiB
 Name: guillem-lap
 ID: Z5AD:GQZL:3MXV:DDPD:JNLZ:7ZGF:THZM:S5WV:27XF:G2R6:BBWV:PCVI
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

I have tested the following wordings for the capability in the command docker run --cap add :

• CAP_PERFMON
• cap_perfmon
• perfmon
• PERFMON

All of them seem to be getting the CAP_PERFMON prefix on the error output.

[sam-thibault]

Looking into the history, this may have been removed from supported capabilities based on libseccomp. We need to look at this some more. related: moby/moby#42011 and moby/moby#44565

May be possible that this works in the new engine release (can test https://github.com/moby/moby/releases/tag/v23.0.0-rc.2)