-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE #41563
Conversation
FWIW, our CI didn't catch this problem because the current ubuntu LTS version are on kernel < 5.8, therefore docker doesn't set these capabilities when using I wonder if a long-term solution would be to;
|
CI will likely fail until #41560 is merged |
This prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up. While these kernels support these capabilities, the current release of runc ships with an older version of /gocapability/capability, and does not know about them, causing an error to be produced. We can remove this restriction once opencontainers/runc@6dfbe9b is included in a runc release and once we stop supporting containerd 1.3.x (which ships with runc v1.0.0-rc92). Thanks to Anca Iordache for reporting. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
548d60d
to
a38b96b
Compare
Rebased to get the fix from #41560 in |
This is unfortunate. |
Yes, it is; not sure what a better solution is for now (besides hoping on a new runc release soon, and that to be included in containerd 1.3.x) What do you think of my idea for an |
opened docker/docker-ce-packaging#506, so that for v20.10, we only have to consider containerd v1.4.x to be updated to a newer runc version |
fixes #41562
This prevents docker from setting
CAP_PERFMON
,CAP_BPF
, andCAP_CHECKPOINT_RESTORE
capabilities on
--privileged
(orCAP_ALL
) containers on Kernel 5.8 and up.While these kernels support these capabilities, the current release of runc ships with an older version of gocapability/capability, and does not know about them, causing an error to be produced.
We can remove this restriction once opencontainers/runc@6dfbe9b is included in a runc release and once we stop supporting containerd 1.3.x (which ships with runc v1.0.0-rc92).
Thanks to @aiordache for reporting.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)