Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File capabilities (xattrs) are not preserved in final ROCK image layers. #683

Open
aznashwan opened this issue Aug 27, 2024 · 2 comments
Open

File capabilities (xattrs) are not preserved in final ROCK image layers. #683

aznashwan opened this issue Aug 27, 2024 · 2 comments

Comments

@aznashwan
Copy link
Contributor

aznashwan commented Aug 27, 2024
edited
Loading

Bug Description

File capabilities set via xattrs on files during ROCK build time are not preserved in the final ROCK image.

There are numerous examples of OCI images which are run as a non-root user but require root-like capabilities like binding port numbers under 1024 with cap_net_bind_service (e.g: the Nginx Ingress Controller image which runs as www-data).

To Reproduce

Build the below-listed rockcraft.yaml sample and check the caps in the final file as follows:

cd /path/to/rockfile/dir

# Build and upload the rock:
rockcraft --verbose --debug pack
rockcraft.skopeo --insecure-policy copy oci-archive:caps-test-rock_v1.0.0_amd64.rock docker-daemon:caps-test-rock:v1.0.0

# NOTE: `-v` makes `setcap` check the given caps are present on the file:
docker run --entrypoint setcap caps-test-rock:v1.0.0 -v cap_net_bind_service=+ep /example.sh
# /example.sh differs in [pe]
# $? = 1

Environment

Host: Ubuntu 22.04 on x86_64 VM on VMWare
Rockcraft: 1.5.3 installed via snap
Docker: 24.0.7-0ubuntu2~22.04.1 amd64 installed via apt

rockcraft.yaml

name: caps-test-rock
summary: Test image to showcase snap caps preservation issues.
description: Test image to showcase snap caps preservation issues.

version: v1.0.0
license: Apache-2.0

base: [email protected]
build-base: [email protected]
platforms:
  amd64:
  # arm64:

services:
  sleep:
    command: sleep inf
    override: replace
    startup: enabled

parts:
  setup:
    plugin: nil

    build-packages:
      - libcap2-bin

    stage-packages:
      - libcap2-bin
      - coreutils

    override-build: |
      set -eux

      echo -e "#!/bin/bash\necho Hello!" > $CRAFT_PART_INSTALL/example.sh

      setcap    cap_net_bind_service=+ep $CRAFT_PART_INSTALL/example.sh
      # NOTE: `-v` makes `setcap` check the given caps are present on the file
      # and will exit non-zero if it doesn't, so the caps are set during build:
      setcap -v cap_net_bind_service=+ep $CRAFT_PART_INSTALL/example.sh

Relevant log output

No relevant logs to share...
@aznashwan
Copy link
Contributor Author

There are numerous examples of OCI images which are run as a non-root [...] (e.g: the Nginx Ingress Controller image which runs as www-data).

Also wanted to confirm the caps are present in non-ROCK images:

docker run -u root --rm -it --entrypoint bash registry.k8s.io/ingress-nginx/controller:v1.11.0 -c "apk update && apk add libcap && setcap -v cap_net_bind_service=+ep /nginx-ingress-controller"
# /nginx-ingress-controller: OK

@cjdcordeiro
Copy link
Collaborator

Thanks for raising this @aznashwan

For future reference, here's the original discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cjdcordeiro @aznashwan