--privileged container required for unprivileged container

[marcellourbani]

Thank you for this tool, very intriguing
I had a go with one of my containers (which does have a shell, but was a good guinea pig regardless)
All runs fine with --privileged (tried vim, which was not installed in target), and even without for the distroless created below but not in my old one, even if not privileged. Not a big deal for me, but worth noting

[iximiuz]

Hi Marcello! Thanks for giving it a try! It's a known limitation - there is an F.A.Q item about it. However, what I should probably do is start suggesting the --privileged flag when the command fails with the above error.

[marcellourbani]

Thank you for the reply I saw the faq, raised an issue because said contaner is not privileged. As mentioned above, - - privileged does work

…

On Sat, 16 Mar 2024, 11:10 Ivan Velichko, ***@***.***> wrote: Hi Marcello! Thanks for giving it a try! It's a known limitation - there is an F.A.Q item <https://github.com/iximiuz/cdebug?tab=readme-ov-file#faq> about it. However, what I should probably do is start suggesting the --privileged flag when the command fails with the above error. — Reply to this email directly, view it on GitHub <#30 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AASW6HL3OTHOJX6G7JYTDUDYYQSCJAVCNFSM6AAAAABEZG7VBOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBRHE2TCOJRGA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[iximiuz]

Yes, you're right. It's rather an inverse case compared to that FAQ item. By default, the sidecar "inherits" the permissions of the target container, so if the target is not privileged enough, the sidecar won't be able to initialize properly w/o its own escalation. And after writing that, I think the original FAQ item needs to be replaced because it's likely not valid anymore.