remove need for any caps

Signed-off-by: Jess Frazelle <jess@mesosphere.com>

Makefile

@@ -40,7 +40,6 @@ static: $(BINDIR) rootfs.go
 	@echo "+ $@"
 	CGO_ENABLED=1 go build -tags "$(BUILDTAGS) cgo static_build" \
 		-ldflags "-w -extldflags -static ${LDFLAGS}" -o bin/$(notdir $(IMAGE)) .
-	@sudo setcap cap_chown,cap_fowner,cap_dac_override+ep ./bin/$(notdir $(IMAGE))
 	@echo "Static container created at: ./bin/$(notdir $(IMAGE))"
 	@echo "Run with ./bin/$(notdir $(IMAGE))"
 

README.md

@@ -120,11 +120,4 @@ systemd so that this binary is really just the launcher :)
 
 ## Caveats
 
-**Caps the binary needs to unpack and set
-the right perms on the rootfs for the userns user**
-
-- **CAP_CHOWN**: chown the rootfs to the userns user
-- **CAP_FOWNER**: chmod rootfs
-- **CAP_DAC_OVERRIDE**: symlinks
-
-**These can be dropped after the rootfs is unpacked and chowned.**
+- cgroups: coming soon

vendor/github.com/docker/docker/pkg/archive/archive.go

@@ -421,7 +421,8 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L
 			chownOpts = &TarChownOptions{UID: hdr.Uid, GID: hdr.Gid}
 		}
 		if err := os.Lchown(path, chownOpts.UID, chownOpts.GID); err != nil {
-			return err
+			logrus.Debugf("lchown archive err: %v", err)
+			// return err
 		}
 	}
 

vendor/github.com/opencontainers/runc/libcontainer/process_linux.go

@@ -255,7 +255,8 @@ func (p *initProcess) start() error {
 	// Do this before syncing with child so that no children
 	// can escape the cgroup
 	if err := p.manager.Apply(p.pid()); err != nil {
-		return newSystemError(err)
+		logrus.Debugf("cgroups apply err: %v", err)
+		// return newSystemError(err)
 	}
 	defer func() {
 		if err != nil {