search

containerd / accelerated-container-image

A production-ready remote container image format (overlaybd) and snapshotter based on block-device.
Apache License 2.0
405 stars 73 forks source link

[Userspace Convertor] /usr/bin/ping security capability inconsistency #251

Closed yuchen0cc closed 9 months ago

yuchen0cc commented 9 months ago

What happened in your environment?

The converted image runs the getcap output is different for /usr/bin/ping than in the non-converted image. This causes ping to run into a permission denied issue when the container starts.

Non converted image: 

getcap /usr/bin/ping
/usr/bin/ping cap_net_admin,cap_net_raw=p

Converted image:

getcap /usr/bin/ping
# no output

What did you expect to happen?

No response

How can we reproduce it?

Convert a centos image by userspace convertor.

What is the version of your Accelerated Container Image?

accelerated-container-image: v1.0.2 overlaybd: v1.0.7

What is your OS environment?

Centos 8

Are you willing to submit PRs to fix it?

yuchen0cc commented 9 months ago

Linux supports associating capability sets with an executable file. The file capability sets are stored in an extended attribute named security.capability. For images, security.capability is stored by pax format with prefix SCHILY.xattr. in a tarball. Userspace convertor omits these extend attributes.

yuchen0cc commented 9 months ago

same issue https://github.com/containerd/overlaybd/issues/301