-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding setcap to the Dockerfile causes the HasModifiedFiles check in Preflight 1.6.1 to fail #969
Comments
This should not be a failure. I'm working on a solution. I've identified what happens in the layer that causes this. The problem is not making it so broad of a fix that other things slip through. |
If a file in a layer has had setcap used on it, it will show up in the layer, but be unchanged. However, there will be a PAX record that shows the extended attrs. For now, preflight will ignore these files, unless/until we find a situation where we should be more robust in this check and possibly fail it. Fixes redhat-openshift-ecosystem#969 Signed-off-by: Brad P. Crochet <brad@redhat.com>
If a file in a layer has had setcap used on it, it will show up in the layer, but be unchanged. However, there will be a PAX record that shows the extended attrs. For now, preflight will ignore these files, unless/until we find a situation where we should be more robust in this check and possibly fail it. Fixes #969 Signed-off-by: Brad P. Crochet <brad@redhat.com>
Hi @bcrochet @acornett21 thank you for the fix. Could you please let us know when do you plan to release Preflight containing this fix? |
@tkrishtop We are waiting on a change in go-rpmdb to be merged and referenced in preflight before we cut a release. Reference to PR here |
Bug Description
Adding setcap to the Dockerfile causes the HasModifiedFiles check in Preflight 1.6.1 to fail.
Version and Command Invocation
1.6.1
Steps to Reproduce:
setcap CAP_NET_ADMIN,CAP_NET_RAW+eip /usr/sbin/xtables-nft-multi
by building another image quay.io/tkrishtop/setcap-example:v0.0.3 without setcap:This image passes the HasModifiedFiles check
Expected Result
Telco partners often require the use of setcap:
CAP_NET_ADMIN - Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables).
CAP_NET_RAW - Permit use of RAW and PACKET sockets.
Containers using setcap do nothing wrong or non-standard, they should pass the certification checks.
Actual Result
check=HasModifiedFiles result=FAILED
Additional Context
Since there is no solution on our side, this issue is becoming urgent and has the potential to impact many Telco partners.
cc: @bcrochet @acornett21
The text was updated successfully, but these errors were encountered: