New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix file capabilites droping in Dockerfile #42934
Fix file capabilites droping in Dockerfile #42934
Conversation
A mentioned on #42655 (comment), the
If this code must be called for VFS, I guess the boolean should be set to |
That's correct the Boolean should be set to |
@thaJeztah I can't speak for @sargun but the feeling I get is that copying xattrs has been removed to speed copying up. d2b71b2
moby/daemon/graphdriver/copy/copy.go Lines 90 to 91 in c09789c
moby/pkg/system/xattrs_linux.go Lines 8 to 11 in c09789c
I'd lean towards suggestion of unconditionally enabling xattrs copying as current implementation is simply incorrect. |
ae672cd
to
97ec8da
Compare
I've updated the commit by changing copyXattrs to moby/daemon/graphdriver/copy/copy.go Lines 259 to 261 in 33a3680
out of moby/daemon/graphdriver/copy/copy.go Line 258 in 33a3680
|
You should only copy the security.capability xattr in the VFS graphdriver, and not the trusted.overlay.opaque one. |
674ddc7
to
2509ff0
Compare
@sargun @thaJeztah Is the PR in current form ok with you? |
2e2c06e
to
c5a883b
Compare
c5a883b
to
b99128e
Compare
@sargun @thaJeztah |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit.. comments for the modified DirCopy() func and field name copyXattrs should be modified to reflect the boolean is just for switching off copying xattr trusted.overlay.opaque
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM functionally.. just the nit comment regarding variable naming and existing api // comments
b99128e
to
a73e49d
Compare
doCopyXattrs() never reached due to copyXattrs boolean being false, as a result file capabilities not being copied. moved copyXattr() out of doCopyXattrs() Signed-off-by: Illo Abdulrahim <abdulrahim.illo@nokia.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
a73e49d
to
31f654a
Compare
I rebased the PR, renamed the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks! And sorry for the long delay; this one dropped of my radar, and I saw the PR was still marked with "missing DCO", but that looks to have been resolved since.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
fixes #42655
- What I did
moved copyXattr function out of doCopyXattrs function, so that security capabilities are copied
- How I did it
doCopyXattrs() never reached due to copyXattrs boolean being false, as a result file capabilities not being copied.
- How to verify it
Test Case
Test Result
- Description for the changelog
Fixed issue of file capabilities dropping when moving to next command in Dockerfile during image building.