-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Treating unknown/unavailable capabilities #4426
Comments
Here is how I see this. We should distinguish between two types of issues:
We should probably clarify that in runtime-spec, too. An exception to 2 is (d). Since we happened to ignore errors from setting ambient capabilities, we should not error out as it might break some users. Instead, introduce a warning and change it to an error in a later version. So, answering my questions above:
|
Maybe we can add some option fields in runtime-spec, the aim of it is to let the user decide whether show an error or a warning. |
In general I'm against such things. Unless there is a strong use case for this, I'd rather not add options like that. I mean, if there is some practical scenario which demonstrates a need for such an option, I'd rather not add it. Software is already very complicated, and by adding such options, we're making it even more complicated. I'd rather have some sane and backward-compatible default and stick with it. @opencontainers/runtime-maintainers WDYT? |
@kolyshkin thanks for providing all the links, it really makes a difference! I agree with you here about no adding more config options, and here about the answers. The short answers for me would be:
Also, it seems worth noting that Kubernetes doesn't support to set ambient caps (there was this KEP kubernetes/enhancements#2763, that was never implemented and dropped for userns) and it seems docker doesn't set ambient capabilities either. Therefore, a big chunk of our users won't be affected by this. This is what I tested wtith docker:
|
I understand the problem that the spec change was trying to fix, but the problem is that "ignore options specified by a user in But yeah, adding a warning at least would be nice... /cc @opencontainers/runtime-spec-maintainers |
I agree with all of this, fwiw ❤️ |
Description
This is more of a request for comments than a bug.
Background
(a) runc and runtime-spec used to treat capabilities from config.json as a must (i.e. if a requested capability could not be set, an error must be returned).
(b) This has changed in runtime-spec since opencontainers/runtime-spec#1094. The spec now says:
(c) The above change was partially implemented in #2854. By "partially" I mean that runc now warns, not errors, in the following two cases:
(d) Also, due to a bug in capability package (fixed in it's moby/sys fork, see kolyshkin/capability#3), any error when raising an ambient capability (using
prctl(PR_CAP_AMBIENT)
) which is not present in both the permitted and the inheritable sets was silently ignored.(e) For all other cases, such as when a valid (known and supported) capability can not be granted, runc still returns an error. This includes:
prctl(PR_CAPBSET_DROP)
) when runc doesn't haveCAP_SETPCAP
(unlikely to happen);Questions
@opencontainers/runc-maintainers PTAL.
The text was updated successfully, but these errors were encountered: