Back by popular demand CAP_SYS_CHROOT #1373
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@vrothberg @nalind @Luap99 PTAL |
pkg/config/config_test.go
Outdated
| @@ -387,6 +387,10 @@ image_copy_tmp_dir="storage"` | |||
| gomega.Expect(config.Engine.NumLocks).To(gomega.BeEquivalentTo(2048)) | |||
| gomega.Expect(config.Engine.OCIRuntimes["runc"]).To(gomega.Equal(OCIRuntimeMap["runc"])) | |||
| gomega.Expect(config.Containers.CgroupConf).To(gomega.BeNil()) | |||
|
|
|||
| caps, _ := config.Capabilities("", nil, nil) | |||
| gomega.Expect(strings.Join(caps, ",")).Should(gomega.ContainSubstring("CAP_SYS_CHROOT")) | |||
There was a problem hiding this comment.
Should this also be checking for each of the rest of the items in the expected default set?
There was a problem hiding this comment.
That's a good idea. To be extra sure we're not regressing in the future.
There was a problem hiding this comment.
We do check that above, but that is using the internal list from the code. Do you want to hard code the list again in the test to make sure users change it in both places?
There was a problem hiding this comment.
Sorry for pushing. Can we get this in today and cut a release? Need to backport it to Podman v4.4 branch for the release on Thursday.
We are getting a lot of issues on our removal of CAP_SYS_CHROOT from the default list of capabilities used by Podman, so adding it back until we do a major release. This capabilty is also needed to successfully run the quay.io/buildah/stable image with Podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
@vrothberg @nalind PTAL |
|
Pretty sure I don't have the privs in this repository, but: |
|
You do :) With great power, comes great responsibility. Thanks! I can cut a release tomorrow and take care of vendoring unless @rhatdan beats me to it :) |
|
Is there an associated BZ for this for RHEL? I don't see one, and this should not have been put into the v0.51 branch without one..... @rhatdan @vrothberg |
|
@TomSweeneyRedHat This discussion was stared because of RHEL. I think @jnovy already patched the containers.conf downstream to address it so this should not change anything. |
|
It's OK to be in the v0.51 branch. This is used for upstream Podman and is not used in Podman |
We are getting a lot of issues on our removal of CAP_SYS_CHROOT from the default list of capabilities used by Podman, so adding it back until we do a major release.
This capabilty is also needed to successfully run the quay.io/buildah/stable image with Podman.