Support for CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE

[tallossos]

File: engine/release-notes/index.md

Hello,
Few month back, the commit for disabling CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE got reverted (moby/moby#42011), so now we should be able to create containers with these capabilities.
When this feature got disabled in the first place, it didn't get into the changelog (moby/moby#42601 (comment)), so one might think that it should work when it actually can't.
Please mention that using these capabilities should work in versions after this merge.
Thanks.

[stevenjswanson]

I've been trying to CAP_PERFMON to work without success. Is there some branch or tag that has "this merge" (as mentioned above) that I need to be using?

I've tried all the channel settings ("stable", "nightly", etc.) for a clean install from the latest get-docker.com script and consistently get:

# docker run --cap-add CAP_PERFMON hello-world
docker: Error response from daemon: invalid CapAdd: unknown capability: "CAP_PERFMON".

Poking around at runc suggests that my runc support CAP_PERFMON. Here's the relevant section of my config.json,

                        "bounding": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ],
                        "effective": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ],
                        "inheritable": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ],
                        "permitted": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"

                        ],
                        "ambient": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE",
"CAP_PERFMON"
                        ]
                },

and runc run container1 completes successfully.

Here's what seems like the relevant version strings (I'm in Ubuntu 20.04 HWE):

# uname -a
Linux da-c3-small-x86-01 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

# docker --version
Docker version 20.10.12, build e91ed57

# runc --version
runc version 1.0.2
commit: v1.0.2-0-g52b36a2
spec: 1.0.2-dev
go: go1.16.10
libseccomp: 2.5.1

[thaJeztah]

moby/moby#42011 has been reverted in the master branch, but is not included in the 20.10 release branch (yet), as 20.10 releases originally shipped with a version of containerd and runc that didn't support it (moby/moby#42011)).

Let me open a PR to amend the release notes for 20.10.0

[mqasimsarfraz]

@thaJeztah Will moby/moby#42011 be back ported to 20.10 release? I see that we already updated the runc version in 20.10. I was having issues with dind use cases.

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked