libct/cap: switch to moby/sys/capability #4418
Conversation
lifubang
force-pushed
the
cap-lazy-init
branch
from
4051eaa
to
efa66da
Compare
|
To reviewers: as much as I can figure out this is an alternative to (not a carry of) #4358, which basically replaces its commit: @lifubang it's not correct to use |
Thereas in this PR the warning is like this:
which is less helpful.
Here's a repro: @test "runc run [ambient caps not set in inheritable result in a warning]" {
update_config ' .process.capabilities.inheritable = ["CAP_KILL"]
| .process.capabilities.ambient = ["CAP_KILL", "CAP_CHOWN"]'
runc run test_amb
[ "$status" -eq 0 ]
# This should result in CAP_KILL (0x20) set in ambient.
# CAP_KILL is 5, the bit mask is 0x20 (1 << 5).
[[ "${output}" == *"CapAmb: 0000000000000020"* ]]
}Obviously we can also fix this in moby/sys/capability. Maybe even introduce a "backward compatibility mode" which returns warnings not errors. OTOH I like this PR's approach for its simplicity. |
|
In any case, a warning should be a temporary measure, and we should switch to an error in (say) runc 1.3. |
Yes, it’s helpful, but maybe error in sometimes. I think maybe it should be the job of ‘ github.com/moby/sys/capabilit’, the ‘Apply’ function should return a detailed error, not only the syscall errorno. I wanted to file a proposal in ‘moby/sys’ when I was writing this PR, but I think that it will changes this API’s return type, it belongs to a break change, I still have no good suggestions. |
Indeed. |
I guess we can make Apply try to set all capabilities and return a more detailed error message. As long as it's using %w to embed the low-level error, and the users are using |
Signed-off-by: lfbzhm <[email protected]>
lifubang
force-pushed
the
cap-lazy-init
branch
from
efa66da
to
c0e0cc0
Compare
lifubang
changed the title
This is an example to explain how to keep the behavior or runc after we repalce the package capability. Signed-off-by: lfbzhm <[email protected]>
lifubang
force-pushed
the
cap-lazy-init
branch
from
c0e0cc0
to
c28aa4e
Compare
| @@ -7,6 +7,8 @@ go 1.22 | |||
| // Note that toolchain does not impose a requirement on other modules using runc. | |||
| toolchain go1.22.4 | |||
|
|
|||
| replace github.com/moby/sys/capability v0.3.0 => github.com/lifubang/moby_sys/capability v0.0.0-20241013102214-92ccf7035c8d | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
Which PR? This?
| list := capability.List() | ||
| list, err := capability.ListSupported() | ||
| if err != nil { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
This is not right.
runc features generally show all known features, flags etc., even those not supported by the current kernel, platform etc.
I was thinking about adding --supported flags but never got around to it.
There is a long standing bug in github.com/syndtr/gocapability package:
It will always ignore errors when setting ambient caps.
(Please see kolyshkin/capability#3)
We need to have a compatibility with before even though this bug has been fixed.
As we can learn from the man page for
capabilities(7)andPR_CAP_AMBIENT_RAISE(2const):There are at least 2 conditions to return error when setting ambient caps:
So, it is hard to know whether there is an error before we are doing the really ambient caps set action.
The easiest way is to ignore all ambient caps errors and output a warning log.
PS: Also found another thing we can do more better: moby/sys#163
The original PR(#4358) description:
This has started as a simple way to reduce init() overhead in libcontainer/capabilities, but ended up switching to the fork of gocapability package, and also fixing a big issue in handling of ambient capabilities.