Open marcellourbani opened 4 months ago
iximiuz
commented
4 months ago Hi Marcello! Thanks for giving it a try! It's a known limitation - there is an F.A.Q item about it. However, what I should probably do is start suggesting the --privileged flag when the command fails with the above error.
marcellourbani
commented
4 months ago Thank you for the reply
I saw the faq, raised an issue because said contaner is not privileged. As mentioned above, - - privileged does work
On Sat, 16 Mar 2024, 11:10 Ivan Velichko, @.***> wrote:
Hi Marcello! Thanks for giving it a try! It's a known limitation - there is an F.A.Q item https://github.com/iximiuz/cdebug?tab=readme-ov-file#faq about it. However, what I should probably do is start suggesting the --privileged flag when the command fails with the above error.
— Reply to this email directly, view it on GitHub https://github.com/iximiuz/cdebug/issues/30#issuecomment-2001951910, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASW6HL3OTHOJX6G7JYTDUDYYQSCJAVCNFSM6AAAAABEZG7VBOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBRHE2TCOJRGA . You are receiving this because you authored the thread.Message ID: @.***>
iximiuz
commented
4 months ago Yes, you're right. It's rather an inverse case compared to that FAQ item. By default, the sidecar "inherits" the permissions of the target container, so if the target is not privileged enough, the sidecar won't be able to initialize properly w/o its own escalation. And after writing that, I think the original FAQ item needs to be replaced because it's likely not valid anymore.
Thank you for this tool, very intriguing I had a go with one of my containers (which does have a shell, but was a good guinea pig regardless) All runs fine with --privileged (tried vim, which was not installed in target), and even without for the distroless created below but not in my old one, even if not privileged. Not a big deal for me, but worth noting