View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017573 | CentOS CI | general | public | 2020-07-07 17:08 | 2020-07-10 06:20 |
Reporter | jlebon | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | resolved | Resolution | fixed | ||
Summary | 0017573: Need `CAP_SETFCAP` for service account `jenkins` in project `coreos-ci` | ||||
Description | In the move from the 3.6 cluster (which uses docker) to the 4.4 cluster (which uses cri-o), we lost the `CAPSETFCAP` default capability. We need this in order to be able to RPMs which use file caps, such as `iputils`. Otherwise, the install will fail with e.g.: ``` Installing : iputils-20190515-7.fc32.x86_64 421/496 Error unpacking rpm package iputils-20190515-7.fc32.x86_64 error: unpacking of archive failed on file /usr/bin/arping;5f048eb7: cpio: cap_set_file failed - Inappropriate ioctl for device error: iputils-20190515-7.fc32.x86_64: install failed ``` The easy way to do this is to add it to the `anyuid` SCC: ``` defaultAddCapabilities: - CAP_SETFCAP ``` Otherwise, to permit this solely for the `jenkins` SA, I think we'd have to create a new SCC instead and associate the `jenkins` SA with it. Note the bounding capabilities set will still prevent uid0 containers from getting any other caps via file caps, such as CAP_SYS_ADMIN. | ||||
Tags | No tags attached. | ||||
child of | 0017567 | resolved | siddharthvipul1 | Service account `jenkins` in project `coreos-ci` needs `anyuid` SCC |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-07-07 17:08 | jlebon | New Issue | |
2020-07-07 17:08 | jlebon | Status | new => assigned |
2020-07-09 05:01 | siddharthvipul1 | Relationship added | child of 0017567 |
2020-07-10 06:20 | siddharthvipul1 | Status | assigned => resolved |
2020-07-10 06:20 | siddharthvipul1 | Resolution | open => fixed |