feat: don't drop capabilities if kexec is disabled

It is needed for advanced use cases like Docker-in-Docker, our CI, etc. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@talos-systems.com>
siderolabs · Oct 6, 2021 · 423861c · 423861c
1 parent facc8c3
commit 423861c
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 7 deletions.
diff --git a/hack/release.toml b/hack/release.toml
@@ -36,11 +36,31 @@ On bare-metal hardware BIOS POST process might take 10-15 minutes, so Talos rebo
 
 Kexec support can be disabled with the following change to the machine configuration:
 
-```
+```yaml
 machine:
   sysctls:
     kernel.kexec_load_disabled: "1"
 ```
+"""
+
+    [notes.caps]
+        title = "Kexec and capabilities"
+        description = """\
+When kexec support is disabled (see `Reboots via kexec`),
+Talos no longer drops Linux capabilities (`CAP_SYS_BOOT` and `CAP_SYS_MODULES`) for child processes.
+That is helpful for advanced use-cases like Docker-in-Docker.
+
+If you want to permanently disable kexec and capabilities dropping, pass `kexec_load_disabled=1` argument to the kernel.
+For example:
+
+```yaml
+install:
+  extraKernelArgs:
+    - kexec_load_disabled=1
+```
+
+Please note that capabilities are dropped before machine configuration is loaded,
+so disabling kexec via `machine.sysctls` (like in the section `Reboots via kexec`) will not be enough.
 """
 
     [notes.kubespan]

diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -241,6 +241,13 @@ func SetRLimit(seq runtime.Sequence, data interface{}) (runtime.TaskExecutionFun
 // DropCapabilities drops some capabilities so that they can't be restored by child processes.
 func DropCapabilities(seq runtime.Sequence, data interface{}) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error {
+		prop, err := kernel.ReadParam(&kernel.Param{Key: "kernel.kexec_load_disabled"})
+		if v := strings.TrimSpace(string(prop)); err == nil && v != "0" {
+			logger.Printf("kernel.kexec_load_disabled is %v, skipping dropping capabilities", v)
+
+			return nil
+		}
+
 		// Disallow raising ambient capabilities (ever).
 		secbits := cap.GetSecbits()
 		secbits |=

diff --git a/pkg/kernel/kspp/kspp.go b/pkg/kernel/kspp/kspp.go
@@ -46,7 +46,7 @@ func EnforceKSPPKernelParameters() error {
 	return result.ErrorOrNil()
 }
 
-// GetKernelParams returns the list of KSPP kernels.
+// GetKernelParams returns the list of KSPP kernel parameters.
 func GetKernelParams() []*kernel.Param {
 	return []*kernel.Param{
 		{
@@ -61,11 +61,6 @@ func GetKernelParams() []*kernel.Param {
 			Key:   "kernel.perf_event_paranoid",
 			Value: "3",
 		},
-		// We can skip this kernel because CONFIG_KEXEC is not set.
-		// {
-		// 	Key:   "kernel.kexec_load_disabled",
-		// 	Value: "1",
-		// },
 		{
 			Key:   "kernel.yama.ptrace_scope",
 			Value: "1",