setcap fails on aufs systems

[sudo-bmitch]

The setcap command itself fails on some systems. I'm seeing this when trying to run a shell as the command (without changing the entrypoint) in 0.6.4):

Failed to set capabilities on file `/bin/vault' (Not supported)
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.

I'm even seeing this when I pass --cap-add IPC_LOCK to the run command, running on kernel 3.16.0-4-amd64 (Debian), OS filesystems are ext4 and using the docker storage driver is aufs. Spinning up the container with a shell as my entrypoint, I can also see:

/ # getcap /bin/vault
Failed to get capabilities of file `/bin/vault' (Not supported)

Since the entrypoint starts with a set -e, I believe the script will immediately error out on the first setcap command even if PR#18 is included. Best solution may be to wrap that section of code with an if check, but I haven't had a chance to test this:

if getcap $(readlink -f $(which vault)) >/dev/null 2>&1; then
...
fi

[sudo-bmitch]

After a little more research, it looks like this applies to AUFS storage drivers, I'm not having the same problem on systems with the Overlay driver. See this closed/won't fix issue from Docker for more details.

[jefferai]

@bmitch3020 If you can build the container locally, can you try this on AUFS with setting the SKIP_SETCAP env var non-empty and see if this bypasses the problem for you?

[jefferai]

("this" = "current code" :-) )

[johnrengelman]

Just curious why this suddenly stopped work ing 0.6.4? Works fine in 0.6.2.