Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE #41563

Merged
merged 1 commit into from
Oct 19, 2020

Conversation

thaJeztah
Copy link
Member

fixes #41562

This prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
capabilities on --privileged (or CAP_ALL) containers on Kernel 5.8 and up.

While these kernels support these capabilities, the current release of runc ships with an older version of gocapability/capability, and does not know about them, causing an error to be produced.

We can remove this restriction once opencontainers/runc@6dfbe9b is included in a runc release and once we stop supporting containerd 1.3.x (which ships with runc v1.0.0-rc92).

Thanks to @aiordache for reporting.

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah
Copy link
Member Author

@AkihiroSuda @cpuguy83 @tiborvass PTAL

@thaJeztah
Copy link
Member Author

FWIW, our CI didn't catch this problem because the current ubuntu LTS version are on kernel < 5.8, therefore docker doesn't set these capabilities when using --privileged (or --cap-add ALL).

I wonder if a long-term solution would be to;

  • define what capabilities are allowed to be set in the runtime-spec
  • introduce a special ALL capability in the runtime spec, which would make the runtime responsible for giving the container "all" capabilities. That way runtimes will remain compatible

@thaJeztah
Copy link
Member Author

CI will likely fail until #41560 is merged

This prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up.

While these kernels support these capabilities, the current release of
runc ships with an older version of /gocapability/capability, and does
not know about them, causing an error to be produced.

We can remove this restriction once opencontainers/runc@6dfbe9b
is included in a runc release and once we stop supporting containerd 1.3.x
(which ships with runc v1.0.0-rc92).

Thanks to Anca Iordache for reporting.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
Copy link
Member Author

Rebased to get the fix from #41560 in

@cpuguy83
Copy link
Member

This is unfortunate.

@thaJeztah
Copy link
Member Author

Yes, it is; not sure what a better solution is for now (besides hoping on a new runc release soon, and that to be included in containerd 1.3.x)

What do you think of my idea for an ALL capability to be added to the runtime spec to delegate it to runc / the runtime? I can write up a short proposal for that.

@thaJeztah
Copy link
Member Author

opened docker/docker-ce-packaging#506, so that for v20.10, we only have to consider containerd v1.4.x to be updated to a newer runc version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[20.10 beta] Unknown capability "CAP_PERFMON" on Linux 5.8.14
4 participants