Skip to content

what are the minimal required capabilities for cntr #428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
suimong opened this issue Jan 13, 2025 · 2 comments
Open

what are the minimal required capabilities for cntr #428

suimong opened this issue Jan 13, 2025 · 2 comments

Comments

@suimong
Copy link

suimong commented Jan 13, 2025

Many of the tools I use daily are installed in userspace which is not available to root, so if I do sudo cntr attach <container> I lose access to those tools. What works is to assign all capabilities to the cntr executable through setcap, then cntr attach <container> can drop me into a shell that inherits my user's environments (e.g. $PATH), and all the tools are available.

So I wonder, what are the minimal set of capabilities that cntr requires? It'll be better if I only grant the necessary capabilities.
@Mic92
Copy link
Owner

Mic92 commented Jan 13, 2025

Cntr inherits the capabilities from the target namespace, if this your question?
It might be an option to make this behavior configurable and not inherit capabilities at all.

@suimong
Copy link
Author

suimong commented Jan 13, 2025

To clarify my situation, let's say I have a running docker (or podman) container called "ubuntu". I grab the latest cntr executable from Github release and put it in $PWD. If I just run ./cntr attach ubuntu then I get the following error message:

failed to setup /.cntr, failed to create setcap executable, Failed set file capability CAP_SYS_CHROOT on /tmp/cntr.mgbBBp/cntr-exec, setxattr failed, EPERM: Operation not permitted

So I run sudo setcap 'cap_setfcap=ep' ./cntr and ./cntr attach ubuntu, the error message became:

cannot mount filesystem, Cannot raise file descriptor limit, EPERM: Operation not permitted

No problem, I run sudo setcap 'cap_sys_admin=ep cap_sys_resource=ep cap_setfcap=ep' ./cntr and again ./cntr attach ubuntu, the error message became:

could not inherit environment variables of container, failed to open /proc/404977/environ, Permission denied (os error 13)

At this point, I lose the patience to try it out one by one, and just passed all Linux capabilities into the setcap command, and then ./cntr attach ubuntu runs successfully.

Sorry if it sounds dumb, but by "target namespace" do you mean the user namespace created by the target container? If that's the case, it looks like my ./cntr does not seem to inherit those capabilities properly...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mic92 @suimong