Closed kdienes closed 2 months ago
hartmans
commented
2 months ago I definitely don't think this should be the default. I would support a filter_instantiate on OCICapability if simply adding capabilities to podman_options in the layout is not sufficient. CAP_NET_ADMIN tends to end up giving you root on the container host because of various BPF bugs and most recently because of nftables bugs.
kdienes
commented
2 months ago Sounds right.
If I did filter_instantiate(OCICapability), is there a way I could add_provider(CAP_NET_ADMIN) top-level for all of my containers, but then remove CAP_NET_ADMIN from one of them?
hartmans
commented
2 months ago Let's assume something like
@dataclasses.dataclass
class OciCapability(Injectable):
capability: str
def default_instance_injection_key(cls):
return InjectionKey(OciCapability, capability=self.capability)Then to add you can do
add_provider(OciCapability("CAP_NET_ADMIN"))And to remove
add_provider(InjectionKey(OciCapability, capability='CAP_NET_ADMIN'), dependency_quote(None))dependency_quote(None) makes sense and is super useful to know in general
This makes debugging dramatically better.
An argument against it is that it exposes more OS surface to the container and that it shouldn't be default.
A better solution might be something like filter_instantiate(OciCapability), with default capabilities taken from a configvar? But I want to get opinions before implementing.