View Issue Details

IDProjectCategoryView StatusLast Update
0017573CentOS CI[All Projects] generalpublic2020-07-10 06:20
Reporterjlebon 
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Summary0017573: Need `CAP_SETFCAP` for service account `jenkins` in project `coreos-ci`
DescriptionIn the move from the 3.6 cluster (which uses docker) to the 4.4 cluster (which uses cri-o), we lost the `CAPSETFCAP` default capability.
We need this in order to be able to RPMs which use file caps, such as `iputils`. Otherwise, the install will fail with e.g.:

```
  Installing : iputils-20190515-7.fc32.x86_64 421/496
Error unpacking rpm package iputils-20190515-7.fc32.x86_64
error: unpacking of archive failed on file /usr/bin/arping;5f048eb7: cpio: cap_set_file failed - Inappropriate ioctl for device
error: iputils-20190515-7.fc32.x86_64: install failed
```

The easy way to do this is to add it to the `anyuid` SCC:

```
defaultAddCapabilities:
  - CAP_SETFCAP
```

Otherwise, to permit this solely for the `jenkins` SA, I think we'd have to create a new SCC instead and associate the `jenkins` SA with it.

Note the bounding capabilities set will still prevent uid0 containers from getting any other caps via file caps, such as CAP_SYS_ADMIN.
TagsNo tags attached.

Relationships

child of 0017567 resolvedsiddharthvipul1 Service account `jenkins` in project `coreos-ci` needs `anyuid` SCC 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-07-07 17:08 jlebon New Issue
2020-07-07 17:08 jlebon Status new => assigned
2020-07-09 05:01 siddharthvipul1 Relationship added child of 0017567
2020-07-10 06:20 siddharthvipul1 Status assigned => resolved
2020-07-10 06:20 siddharthvipul1 Resolution open => fixed