search

containerd / accelerated-container-image

A production-ready remote container image format (overlaybd) and snapshotter based on block-device.
Apache License 2.0
409 stars 75 forks source link

[Userspace Convertor] /usr/bin/ping security capability inconsistency #251

Closed yuchen0cc closed 10 months ago

yuchen0cc commented 11 months ago

What happened in your environment?

The converted image runs the getcap output is different for /usr/bin/ping than in the non-converted image. This causes ping to run into a permission denied issue when the container starts.

Non converted image: 

getcap /usr/bin/ping
/usr/bin/ping cap_net_admin,cap_net_raw=p

Converted image:

getcap /usr/bin/ping
# no output

What did you expect to happen?

No response

How can we reproduce it?

Convert a centos image by userspace convertor.

What is the version of your Accelerated Container Image?

accelerated-container-image: v1.0.2 overlaybd: v1.0.7

What is your OS environment?

Centos 8

Are you willing to submit PRs to fix it?

yuchen0cc commented 11 months ago

Linux supports associating capability sets with an executable file. The file capability sets are stored in an extended attribute named security.capability. For images, security.capability is stored by pax format with prefix SCHILY.xattr. in a tarball. Userspace convertor omits these extend attributes.

yuchen0cc commented 11 months ago

same issue https://github.com/containerd/overlaybd/issues/301