docker container is privileged tries to assume more capabilities than available

[smira]

tl;dr is that docker run --privileged tries to assign all known caps, while dockerd itself might not have all caps already.

Background: Talos in new version 0.13 started dropping two capabilities (kexec + module loading) from all processes but PID 1. Talos itself doesn't use dockerd, but if I launch privileged pod on Kubernetes with docker:20.10-dind image, I can't run any privileged container inside:

/ # docker run -it --rm --privileged alpine
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: apply caps: operation not permitted: unknown.

The problem starts in

moby/daemon/exec_linux.go

Line 25 in 306fa44

p.Capabilities.Bounding = caps.GetAllCapabilities()

Which essentially uses the list of capabilities built here:

moby/oci/caps/utils.go

Lines 23 to 37 in 306fa44

	func init() {
	last := capability.CAP_LAST_CAP
	rawCaps := capability.List()
	allCaps = make([]string, min(int(last+1), len(rawCaps)))
	capabilityList = make(map[string]*capability.Cap, len(rawCaps))
	for i, c := range rawCaps {
	capName := "CAP_" + strings.ToUpper(c.String())
	if c > last {
	capabilityList[capName] = nil
	continue
	}
	allCaps[i] = capName
	capabilityList[capName] = &c
	}
	}

This list contains every capability present on the host, which might be not be true (as some capabilities might have already been dropped).

Containerd OCI does proper thing:

https://github.com/containerd/containerd/blob/d193dc2b8afb1467255cea5326e9807514f94c0f/pkg/cap/cap_linux.go#L123-L136

I'm happy to send a PR, but what is the best way to solve this in the docker codebase?

[thaJeztah]

Thanks for reporting; this looks to be related to opencontainers/runtime-spec#1094, which was intended to address these situations. The idea of that is that "higher level" runtimes (containerd, dockerd) would be able to set the set of capabilities, but keeping the OCI runtime the "single source of truth" to handle unknown/unavailable capabilities.

From your description, it looks like the related change in runc (opencontainers/runc#2854) doesn't address this specific case; wondering if it's currently only ignoring "unknown" capabilities, but not "known, but not available" capabilities.

It's been a while since I looked at that, so I would have to dig into what exactly is happening, but if you are interested in looking into that (for runc), let me know.

[smira]

The opencontainers/runtime-spec#1094 seems like a move in the right direction, but it wasn't fully implemented? It seems to only ignore unknown caps which is not quite same as the caps which can't be granted.

But yep, exactly what you said.

My understanding is the bug is clearly in dockerd - it tries to grant all capabilities, while it can only grant those capabilities which are in the effective set of dockerd (it can't grant more that it has).

I was asking whether using cap from containerd would make sense here.