• We had to restore from a backup today after a failed software update. Backup was from 0000 EDT and restored it at 0800 EDT so we lost about 8hrs. Today is 07/20/2024. More info here.

Linux capabilities running in a container

steveszabo

New Member
Joined
Sep 10, 2022
Messages
2
Reaction score
0
Credits
18
Trying to understand how to use linux capabilities when running in a container. I'm able to use CAP_DAC_OVERRIDE when running an ubuntu image on an ubuntu host:

Code:
FROM ubuntu:latest

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update && apt-get install libcap2-bin -y
RUN setcap CAP_DAC_OVERRIDE=eip /usr/bin/cp

USER nobody
ENTRYPOINT ["/usr/bin/cp", "/etc/os-release", "/"]

Code:
$ docker run --cap-add CAP_DAC_OVERRIDE --rm -it --entrypoint=/bin/bash 5f4cf7fc782a
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$ getcap /usr/bin/cp
/usr/bin/cp cap_dac_override=eip
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$ /usr/bin/cp /etc/os-release /
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$ ls -ld /os-release
-rw-r--r-- 1 nobody nogroup 386 Sep 10 00:32 /os-release
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$ exit


If I switch to a redhat image running on the same ubuntu host I don't get the same results:

Code:
FROM registry.redhat.io/ubi8/ubi-minimal:8.6-902.1661794353

RUN setcap CAP_DAC_OVERRIDE=eip /usr/bin/cp

USER nobody
ENTRYPOINT ["/usr/bin/cp", "/etc/os-release", "/"]

Code:
$ docker run --cap-add CAP_DAC_OVERRIDE --rm -it --entrypoint=/bin/bash bf84cc52c20a
bash-4.4$
bash-4.4$
bash-4.4$ getcap /usr/bin/cp
/usr/bin/cp cap_dac_override=eip
bash-4.4$
bash-4.4$
bash-4.4$ /usr/bin/cp /etc/os-release /
cp: cannot create regular file '/os-release': Permission denied
bash-4.4$
bash-4.4$
bash-4.4$ exit
 


Case is open with redhat support - this looks like a bug with the ubi8 image
 

Members online


Top