← Back to issue list

File capabilities (xattrs) are not preserved in final ROCK image layers.

View original Github issue

Metadata

Project
rockcraft
Number
#683
Type
issue
State
open
Author
aznashwan
Labels
Created
2024-08-27 09:22:53+00:00
Updated
2024-08-27 14:30:34+00:00
Closed

Current evaluation

No evaluation has been recorded for this issue yet.

Issue body

### Bug Description File capabilities set via xattrs on files during ROCK build time are not preserved in the final ROCK image. There are numerous examples of OCI images which are run as a non-root user but require root-like capabilities like binding port numbers under 1024 with `cap_net_bind_service` (e.g: the [Nginx Ingress Controller image which runs as `www-data`](https://github.com/kubernetes/ingress-nginx/blob/controller-v1.11.0/rootfs/Dockerfile#L71-L80)). ### To Reproduce Build the below-listed `rockcraft.yaml` sample and check the caps in the final file as follows: ```bash cd /path/to/rockfile/dir # Build and upload the rock: rockcraft --verbose --debug pack rockcraft.skopeo --insecure-policy copy oci-archive:caps-test-rock_v1.0.0_amd64.rock docker-daemon:caps-test-rock:v1.0.0 # NOTE: `-v` makes `setcap` check the given caps are present on the file: docker run --entrypoint setcap caps-test-rock:v1.0.0 -v cap_net_bind_service=+ep /example.sh # /example.sh differs in [pe] # $? = 1 ``` ### Environment Host: Ubuntu 22.04 on x86_64 VM on VMWare Rockcraft: 1.5.3 installed via `snap` Docker: 24.0.7-0ubuntu2~22.04.1 amd64 installed via `apt` ### rockcraft.yaml ```yaml name: caps-test-rock summary: Test image to showcase snap caps preservation issues. description: Test image to showcase snap caps preservation issues. version: v1.0.0 license: Apache-2.0 base: ubuntu@22.04 build-base: ubuntu@22.04 platforms: amd64: # arm64: services: sleep: command: sleep inf override: replace startup: enabled parts: setup: plugin: nil build-packages: - libcap2-bin stage-packages: - libcap2-bin - coreutils override-build: | set -eux echo -e "#!/bin/bash\necho Hello!" > $CRAFT_PART_INSTALL/example.sh setcap cap_net_bind_service=+ep $CRAFT_PART_INSTALL/example.sh # NOTE: `-v` makes `setcap` check the given caps are present on the file # and will exit non-zero if it doesn't, so the caps are set during build: setcap -v cap_net_bind_service=+ep $CRAFT_PART_INSTALL/example.sh ``` ### Relevant log output ```shell No relevant logs to share... ```

Evaluation history

No evaluation history available.