Revert "Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE

[thaJeztah]

fixes #42601

Revert "Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE"

Now that runc v1.0.0-rc93 is used, we can revert this temporary workaround

This reverts commit a38b96b (#41563).

relates to:

• [20.10 beta] Unknown capability "CAP_PERFMON" on Linux 5.8.14 #41562 [20.10 beta] Unknown capability "CAP_PERFMON" on Linux 5.8.14
• [master] kube-proxy doesn't start up due to "apply caps: operation not permitted" error kubernetes-sigs/kind#2058 [master] kube-proxy doesn't start up due to "apply caps: operation not permitted" error
• Proposal: define a "ALL_CAPS" pseudo-capability to grant all capabilities opencontainers/runtime-spec#1071

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[AkihiroSuda]

This will break dind (Docker 21 in Docker 20.10). I still think containerd/containerd#5017 is the right approach.

[AkihiroSuda]

(Might be fine for runc >= rc94, though, as runc >= rc94 does not raise error on unknown caps opencontainers/runc#2854)

[AkihiroSuda]

What's current status?

[thaJeztah]

What's current status?

I rebased to trigger CI again. I think this one should be fine now that we're on runc > rc94, correct?

[thaJeztah]

Failure is unrelated; TestCreateParallel tracked through #42582

[2021-07-19T08:35:11.641Z] === Failed
[2021-07-19T08:35:11.641Z] === FAIL: libnetwork/drivers/bridge TestCreateParallel (0.73s)
[2021-07-19T08:35:11.641Z] time="2021-07-19T08:32:14Z" level=warning msg="bridge store not initialized. kv object docker/network/v1.0/bridge/net87/ is not added to the store"
[2021-07-19T08:35:11.641Z] time="2021-07-19T08:32:15Z" level=warning msg="bridge store not initialized. kv object docker/network/v1.0/bridge/net51/ is not added to the store"
[2021-07-19T08:35:11.641Z]     bridge_test.go:1133: Success should be 1 instead: 2

[thaJeztah]

hmpf

RPC failed; curl 56 GnuTLS recv error (-54): Error in the pull function.
fatal: the remote end hung up unexpectedly
fatal: early EOF
``

[thaJeztah]

@AkihiroSuda @cpuguy83 PTAL

[cpuguy83]

LGTM

[thaJeztah]

Failure is unrelated, but looks like that one is flaky as well

 === FAIL: libnetwork/networkdb TestNetworkDBNodeJoinLeaveIteration (5.81s)
[2021-07-29T18:12:43.071Z]     networkdb_test.go:511: Network existence verification failed
[2021-07-29T18:12:43.071Z]     networkdb_test.go:513: The networkNodes list has to have be 2 instead of 1 - [8518394491d6]

[thaJeztah]

Opened #42698 to track that one

[mqasimsarfraz]

Hi, Is there a plan to back port this to stable release? The use case for this has been explained here.

[mqasimsarfraz]

@thaJeztah @cpuguy83 any thoughts on above?

[ymanton]

CRIU has merged patches to use CAP_CHECKPOINT_RESTORE in checkpoint-restore/criu#1930. This allows us to build images containing checkpointed processes that can be restored in containers with far fewer privileges and capabilities. The benefits here are much faster startup and reduced time to first response.

Podman and others support it, so it would really be nice to have Docker support in stable releases finally.