Closed pwFoo closed 6 years ago
looks like the spec changed
On Wed, Apr 19, 2017 at 9:58 AM, pwFoo notifications@github.com wrote:
Maybe there is something else wrong, but it depends on capabilities section in generated config.json.
Convert a simple container (docker export, tar, generate config.json with riddler) works fine, but a privileged container (dind container) fails:
/mnt # runc run dockerd json: cannot unmarshal array into Go struct field Process.capabilities of type specs.LinuxCapabilities
config.json part:
... "cwd": "/", "capabilities": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_LINUX_IMMUTABLE", "CAP_NET_BIND_SERVICE", "CAP_NET_BROADCAST", "CAP_NET_ADMIN", "CAP_NET_RAW", "CAP_IPC_LOCK", "CAP_IPC_OWNER", "CAP_SYS_MODULE", "CAP_SYS_RAWIO", "CAP_SYS_CHROOT", "CAP_SYS_PTRACE", "CAP_SYS_PACCT", "CAP_SYS_ADMIN", "CAP_SYS_BOOT", "CAP_SYS_NICE", "CAP_SYS_RESOURCE", "CAP_SYS_TIME", "CAP_SYS_TTY_CONFIG", "CAP_MKNOD", "CAP_LEASE", "CAP_AUDIT_WRITE", "CAP_AUDIT_CONTROL", "CAP_SETFCAP", "CAP_MAC_OVERRIDE", "CAP_MAC_ADMIN", "CAP_SYSLOG", "CAP_WAKE_ALARM", "CAP_BLOCK_SUSPEND", "CAP_AUDIT_READ" ], "rlimits": [ ...
If I remove the capabilities part between cwd and rlimits it works fine.
Any idea how to fix it?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jessfraz/riddler/issues/16, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYNbHDCMtp6CHWQkvf16uvEpHOALI7Vks5rxhLvgaJpZM4NBuLy .
--
Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3
you can use an older version of runc or checkout how the capabilities spec changed here https://github.com/opencontainers/runtime-spec/blob/master/config.md and send a PR, I unfortunately don't have adequate time to do it myself
On Wed, Apr 19, 2017 at 10:00 AM, Jess Frazelle notifications@github.com wrote:
looks like the spec changed
On Wed, Apr 19, 2017 at 9:58 AM, pwFoo notifications@github.com wrote:
Maybe there is something else wrong, but it depends on capabilities section in generated config.json.
Convert a simple container (docker export, tar, generate config.json with riddler) works fine, but a privileged container (dind container) fails:
/mnt # runc run dockerd json: cannot unmarshal array into Go struct field Process.capabilities of type specs.LinuxCapabilities
config.json part:
... "cwd": "/", "capabilities": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_LINUX_IMMUTABLE", "CAP_NET_BIND_SERVICE", "CAP_NET_BROADCAST", "CAP_NET_ADMIN", "CAP_NET_RAW", "CAP_IPC_LOCK", "CAP_IPC_OWNER", "CAP_SYS_MODULE", "CAP_SYS_RAWIO", "CAP_SYS_CHROOT", "CAP_SYS_PTRACE", "CAP_SYS_PACCT", "CAP_SYS_ADMIN", "CAP_SYS_BOOT", "CAP_SYS_NICE", "CAP_SYS_RESOURCE", "CAP_SYS_TIME", "CAP_SYS_TTY_CONFIG", "CAP_MKNOD", "CAP_LEASE", "CAP_AUDIT_WRITE", "CAP_AUDIT_CONTROL", "CAP_SETFCAP", "CAP_MAC_OVERRIDE", "CAP_MAC_ADMIN", "CAP_SYSLOG", "CAP_WAKE_ALARM", "CAP_BLOCK_SUSPEND", "CAP_AUDIT_READ" ], "rlimits": [ ...
If I remove the capabilities part between cwd and rlimits it works fine.
Any idea how to fix it?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jessfraz/riddler/issues/16, or mute the thread https://github.com/notifications/unsubscribe-auth/ ABYNbHDCMtp6CHWQkvf16uvEpHOALI7Vks5rxhLvgaJpZM4NBuLy .
--
Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search= 0x18F3685C0022BFF3
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jessfraz/riddler/issues/16#issuecomment-295280229, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYNbNaFH77orACUtHzi0ndGhhMPtVN4ks5rxhN4gaJpZM4NBuLy .
--
Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3
Thanks! I'll take a look
Example generated by runc spec
"capabilities": {
"bounding": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"effective": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"inheritable": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"permitted": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"ambient": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
]
},
oh yeah this doesnt support privileged containers it was not a part of my use case sorry
Maybe there is something else wrong, but it depends on capabilities section in generated config.json.
Convert a simple container (docker export, tar, generate config.json with riddler) works fine, but a privileged container (dind container) fails:
config.json part:
If I remove the capabilities part between cwd and rlimits it works fine.
Any idea how to fix it?