Open marcellourbani opened 4 months ago
Hi Marcello! Thanks for giving it a try! It's a known limitation - there is an F.A.Q item about it. However, what I should probably do is start suggesting the --privileged
flag when the command fails with the above error.
Thank you for the reply
I saw the faq, raised an issue because said contaner is not privileged. As mentioned above, - - privileged does work
On Sat, 16 Mar 2024, 11:10 Ivan Velichko, @.***> wrote:
Hi Marcello! Thanks for giving it a try! It's a known limitation - there is an F.A.Q item https://github.com/iximiuz/cdebug?tab=readme-ov-file#faq about it. However, what I should probably do is start suggesting the --privileged flag when the command fails with the above error.
— Reply to this email directly, view it on GitHub https://github.com/iximiuz/cdebug/issues/30#issuecomment-2001951910, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASW6HL3OTHOJX6G7JYTDUDYYQSCJAVCNFSM6AAAAABEZG7VBOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBRHE2TCOJRGA . You are receiving this because you authored the thread.Message ID: @.***>
Yes, you're right. It's rather an inverse case compared to that FAQ item. By default, the sidecar "inherits" the permissions of the target container, so if the target is not privileged enough, the sidecar won't be able to initialize properly w/o its own escalation. And after writing that, I think the original FAQ item needs to be replaced because it's likely not valid anymore.
Thank you for this tool, very intriguing I had a go with one of my containers (which does have a shell, but was a good guinea pig regardless) All runs fine with --privileged (tried vim, which was not installed in target), and even without for the distroless created below but not in my old one, even if not privileged. Not a big deal for me, but worth noting