New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dockerfiles: run rpm --setcaps shadow-utils
during build
#256
Conversation
What exactly does rpm --setcaps do to shadow-utils? Does it add the filecaps back in? |
Ubuntu man pages says:
|
Yes, it resets the file capabilities on files from that package, particularly |
/retest |
/test e2e-aws-cgroupsv2 |
1 similar comment
/test e2e-aws-cgroupsv2 |
/retest |
1 similar comment
/retest |
@nalind I believe we are still working on getting builds to pass with cgroupsv2. Do we explicitly need that to test this update? |
No, whether or not the |
/retest |
Given that we're not supposed to be blocking on the |
/retest |
1 similar comment
/retest |
Our base images don't preserve file capabilities on /usr/bin/newuidmap and /usr/bin/newgidmap, but they do preserve setuid/setgid bits, which grant more privileges to callers, so go ahead and restore file capabilities during the build. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
LGTM |
/retest |
/assign @coreydaley for approve |
/lgtm |
@nalind So, should we be using |
Both should work. --setcaps is more specific to the problem, since it is only fixing file caps. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: coreydaley, gabemontero, nalind The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/label docs-approved No user-facing docs are needed for this change |
/label px-approved No impact on product experience |
/cc @jitendar-singh Do we risk this breaking our build in OSBS? Otherwise I think our existing regression/CI tests are sufficient here. |
Perhaps we can merge this, and revert it if it starts causing errors at image build time? |
Looks like it's just waiting on the qe-approved label. |
/label qe-approved |
Our base images don't preserve file capabilities on
/usr/bin/newuidmap
and/usr/bin/newgidmap
, but they do preserve setuid/setgid bits, which grant more privileges to callers, so go ahead and restore file capabilities during the build.