Browse code
Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
This prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up.
While these kernels support these capabilities, the current release of
runc ships with an older version of /gocapability/capability, and does
not know about them, causing an error to be produced.
We can remove this restriction once https://github.com/opencontainers/runc/commit/6dfbe9b80707b1ca188255e8def15263348e0f9a
is included in a runc release and once we stop supporting containerd 1.3.x
(which ships with runc v1.0.0-rc92).
Thanks to Anca Iordache for reporting.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2020/10/16 23:38:48Showing 1 changed files
| ... | ... |
@@ -16,6 +16,18 @@ func init() {
|
| 16 | 16 |
if last == capability.Cap(63) {
|
| 17 | 17 |
last = capability.CAP_BLOCK_SUSPEND |
| 18 | 18 |
} |
| 19 |
+ if last > capability.CAP_AUDIT_READ {
|
|
| 20 |
+ // Prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE |
|
| 21 |
+ // capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up. |
|
| 22 |
+ // While these kernels support these capabilities, the current release of |
|
| 23 |
+ // runc ships with an older version of /gocapability/capability, and does |
|
| 24 |
+ // not know about them, causing an error to be produced. |
|
| 25 |
+ // |
|
| 26 |
+ // FIXME remove once https://github.com/opencontainers/runc/commit/6dfbe9b80707b1ca188255e8def15263348e0f9a |
|
| 27 |
+ // is included in a runc release and once we stop supporting containerd 1.3.x |
|
| 28 |
+ // (which ships with runc v1.0.0-rc92) |
|
| 29 |
+ last = capability.CAP_AUDIT_READ |
|
| 30 |
+ } |
|
| 19 | 31 |
for _, cap := range capability.List() {
|
| 20 | 32 |
if cap > last {
|
| 21 | 33 |
continue |