From 54232c0f282a21c35d853297e87c2beb7321e431 Mon Sep 17 00:00:00 2001 From: Mahmood Ali Date: Fri, 24 May 2019 11:35:11 -0400 Subject: [PATCH] driver/exec: inherit capabilities of nomad process --- drivers/shared/executor/executor_linux.go | 31 +++-------------------- 1 file changed, 4 insertions(+), 27 deletions(-) diff --git a/drivers/shared/executor/executor_linux.go b/drivers/shared/executor/executor_linux.go index cf0aa8df8707..ed3c4ad07e2f 100644 --- a/drivers/shared/executor/executor_linux.go +++ b/drivers/shared/executor/executor_linux.go @@ -31,7 +31,6 @@ import ( lconfigs "github.com/opencontainers/runc/libcontainer/configs" ldevices "github.com/opencontainers/runc/libcontainer/devices" lutils "github.com/opencontainers/runc/libcontainer/utils" - "github.com/syndtr/gocapability/capability" "golang.org/x/sys/unix" ) @@ -551,34 +550,12 @@ func (l *LibcontainerExecutor) handleExecWait(ch chan *waitResult, process *libc func configureCapabilities(cfg *lconfigs.Config, command *ExecCommand) error { // TODO: allow better control of these - // use capabilities list as prior to adopting libcontainer in 0.9 - allCaps := supportedCaps() - cfg.Capabilities = &lconfigs.Capabilities{ - Bounding: allCaps, - Permitted: nil, - Inheritable: nil, - Ambient: nil, - Effective: nil, - } - return nil -} + // By default, inherit nomad process linux capabilities, the behavior + // prior to adopting libcontainer, in Nomad 0.8 + cfg.Capabilities = nil -// supportedCaps returns a list of all supported capabilities in kernel -func supportedCaps() []string { - allCaps := []string{} - last := capability.CAP_LAST_CAP - // workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap - if last == capability.Cap(63) { - last = capability.CAP_BLOCK_SUSPEND - } - for _, cap := range capability.List() { - if cap > last { - continue - } - allCaps = append(allCaps, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))) - } - return allCaps + return nil } // configureIsolation prepares the isolation primitives of the container.