Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker image fails: unable to set CAP_SETFCAP effective capability: Operation not permitted #355

Closed
credbbl opened this issue Jun 12, 2024 · 5 comments
Closed

Docker image fails: unable to set CAP_SETFCAP effective capability: Operation not permitted #355

credbbl opened this issue Jun 12, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@credbbl
Copy link

credbbl commented Jun 12, 2024
edited

Describe the bug
The Docker image fails to start with just this message:

unable to set CAP_SETFCAP effective capability: Operation not permitted

This is part of /usr/local/bin/docker-entrypoint.sh:

sh-4.4$ bash -x /usr/local/bin/docker-entrypoint.sh 
[…]
+ setcap cap_ipc_lock=+ep /usr/bin/bao
unable to set CAP_SETFCAP effective capability: Operation not permitted

To Reproduce
Steps to reproduce the behavior:

  1. Run podman run --rm --read-only -ti quay.io/openbao/openbao:2.0.0-alpha20240329
  2. See error

Environment:

  • Server Operating System/Architecture: Podman 4.3.1 on Debian 12
@credbbl credbbl added the bug Something isn't working label Jun 12, 2024
@cipherboy
Copy link
Member

cipherboy commented Jun 13, 2024
edited

Hello @credbbl -- apologies this isn't better documented... The upstream container image was originally used for OpenShift certification and thus required certain capabilities (like CAP_SETFCAP) to be available... Using the (poorly documented) SKIP_SETCAP variable should let you bypass this particular one.

Do you want to open up a documentation change for this one? Curious to get your thoughts on where would be the best place to put it for visibility :-)

Alternatively, @IohannesArnold -- do you know if removing mlock will mean we don't need this? I think this is only used for mlock and thus we can probably drop this entirely when we drop mlock in #354... but not sure if we'll end up needing this for cgroups to work or not.

@IohannesArnold
Copy link
Contributor

removing mlock will mean we don't need this?

I believe this is correct. I have it removed on my local branch.

@credbbl
Copy link
Author

credbbl commented Jun 17, 2024

Could you quote the part of the OpenShift certification that requires CAP_SETFCAP? Also I'm pretty sure OpenStack does not really like non-immutable containers very much, which this already is.

@cipherboy
Copy link
Member

@credbbl I couldn't when I went looking. I wasn't directly involved in the certification effort upstream earlier (it was owned more on the partner side), but I was attempting to help clean up some of these container behaviors to be more forgiving and wasn't able to get it merged for that reasoning... I suspect either my memory is flawed or certification requirements might've changed? Not sure!

As we don't have resources to pursue OpenShift certification ourselves and I've been unable to find a source requiring it, we're going to drop mlock in #363.

@cipherboy
Copy link
Member

Closing as #363 was merged :-) Thanks all!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cipherboy @IohannesArnold @credbbl