beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE

Browse source 
This prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up.

While these kernels support these capabilities, the current release of
runc ships with an older version of /gocapability/capability, and does
not know about them, causing an error to be produced.

We can remove this restriction once 6dfbe9b807
is included in a runc release and once we stop supporting containerd 1.3.x
(which ships with runc v1.0.0-rc92).

Thanks to Anca Iordache for reporting.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2020-10-16 16:38:48 +02:00
parent bebbec4e89
commit a38b96b8cd
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
oci/caps/utils.go
View file

@ -16,6 +16,18 @@ func init() {
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
if last > capability.CAP_AUDIT_READ {
// Prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
// capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up.
// While these kernels support these capabilities, the current release of
// runc ships with an older version of /gocapability/capability, and does
// not know about them, causing an error to be produced.
//
// FIXME remove once https://github.com/opencontainers/runc/commit/6dfbe9b80707b1ca188255e8def15263348e0f9a
// is included in a runc release and once we stop supporting containerd 1.3.x
// (which ships with runc v1.0.0-rc92)
last = capability.CAP_AUDIT_READ
}
for _, cap := range capability.List() {
if cap > last {
continue