From 736052e30933456cbce6b2c2e954e786000c0952 Mon Sep 17 00:00:00 2001 From: Jess Frazelle Date: Sun, 17 Apr 2016 21:37:13 -0700 Subject: [PATCH] remove need for any caps Signed-off-by: Jess Frazelle --- Makefile | 1 - README.md | 9 +-------- vendor/github.com/docker/docker/pkg/archive/archive.go | 3 ++- .../opencontainers/runc/libcontainer/process_linux.go | 3 ++- 4 files changed, 5 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index 3352159..61ef169 100644 --- a/Makefile +++ b/Makefile @@ -40,7 +40,6 @@ static: $(BINDIR) rootfs.go @echo "+ $@" CGO_ENABLED=1 go build -tags "$(BUILDTAGS) cgo static_build" \ -ldflags "-w -extldflags -static ${LDFLAGS}" -o bin/$(notdir $(IMAGE)) . - @sudo setcap cap_chown,cap_fowner,cap_dac_override+ep ./bin/$(notdir $(IMAGE)) @echo "Static container created at: ./bin/$(notdir $(IMAGE))" @echo "Run with ./bin/$(notdir $(IMAGE))" diff --git a/README.md b/README.md index dc7b695..dfe8fe4 100644 --- a/README.md +++ b/README.md @@ -120,11 +120,4 @@ systemd so that this binary is really just the launcher :) ## Caveats -**Caps the binary needs to unpack and set -the right perms on the rootfs for the userns user** - -- **CAP_CHOWN**: chown the rootfs to the userns user -- **CAP_FOWNER**: chmod rootfs -- **CAP_DAC_OVERRIDE**: symlinks - -**These can be dropped after the rootfs is unpacked and chowned.** +- cgroups: coming soon diff --git a/vendor/github.com/docker/docker/pkg/archive/archive.go b/vendor/github.com/docker/docker/pkg/archive/archive.go index 5f8cd09..f319953 100644 --- a/vendor/github.com/docker/docker/pkg/archive/archive.go +++ b/vendor/github.com/docker/docker/pkg/archive/archive.go @@ -421,7 +421,8 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L chownOpts = &TarChownOptions{UID: hdr.Uid, GID: hdr.Gid} } if err := os.Lchown(path, chownOpts.UID, chownOpts.GID); err != nil { - return err + logrus.Debugf("lchown archive err: %v", err) + // return err } } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go index 8c5a8ac..191760d 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go @@ -255,7 +255,8 @@ func (p *initProcess) start() error { // Do this before syncing with child so that no children // can escape the cgroup if err := p.manager.Apply(p.pid()); err != nil { - return newSystemError(err) + logrus.Debugf("cgroups apply err: %v", err) + // return newSystemError(err) } defer func() { if err != nil {