From 089cb88f17402e81d5a5b1fbaaf59c5af048142b Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Tue, 30 May 2017 17:04:21 +0200 Subject: [PATCH] server: container_create: make the spec hostspecific node-e2e tests were failing in RHEL because, if running a privileged container, we get all capability in the spec. The spec generator wasn't filtering caps based on actual host caps, it was just adding _everything_. This patch makes spec generator host specific. Signed-off-by: Antonio Murdaca --- server/container_create.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/container_create.go b/server/container_create.go index 5824d32f..658e993b 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -330,6 +330,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, // creates a spec Generator with the default spec. specgen := generate.New() + specgen.HostSpecific = true if err := addOciBindMounts(sb, containerConfig, &specgen); err != nil { return nil, err @@ -456,7 +457,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, if dropCaps != nil { for _, cap := range dropCaps { if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil { - return nil, err + logrus.Debugf("failed to drop cap %s: %v", toCAPPrefixed(cap), err) } } }