dgr test - Capabilities

[nyodas]

With the stage1 from rkt >1.7 the aci-tester fails miserably because it does not have the proper Cgroups Capabilities.

I tried adding them in the tester part of the aci-manifest without success.

[n0rad]

rkt in rkt ? logs ? manifest ?

[nyodas]

Simple dgr test. No rkt in rkt (for now).

systemd 229
rkt 1.7 && rkt 1.8
dgr 69 

The log message is the one from the application (ie: can't set the proper ulimit file. ) Long story short for the php-fpm to works it need CAP_SYS_RESOURCE

[ 2397.060553] aci-php[1154]: Running test file -> php-test.bats
[ 2397.081190] aci-php[1154]: [20-Jun-2016 09:48:23] ERROR: failed to set rlimit_core for this pool. Please check your system limits or decrease rlimit_files. setrlimit(RLIMIT_NOFILE, 10240): Operation not permitted (1)
[ 2397.081532] aci-php[1154]: [20-Jun-2016 09:48:23] ERROR: FPM initialization failed

The manifest.

name: aci.yolo.com/aci-php:{{.version}}-4
aci:
  app:
      exec: [ "/usr/sbin/php5-fpm", "-F" ]
      isolators:
        - name: os/linux/capabilities-retain-set
          value:
            set:
              - CAP_AUDIT_WRITE
              - CAP_CHOWN
              - CAP_DAC_OVERRIDE
              - CAP_FSETID
              - CAP_FOWNER
              - CAP_KILL
              - CAP_MKNOD
              - CAP_NET_RAW
              - CAP_NET_BIND_SERVICE
              - CAP_SETUID
              - CAP_SETGID
              - CAP_SETPCAP
              - CAP_SETFCAP
              - CAP_SYS_CHROOT
              - CAP_SYS_RESOURCE

[n0rad]

capability of aci was not replicated to test aci. I can still not fix it because isolators node is not Marshal-able.

It needs closer look to find a way to do it

[n0rad]

fixed in v72