Does crun really need CAP_SYS_RESOURCE #1388
Comments
dougsland
added a commit
to containers/qm
that referenced
this issue
Jan 17, 2024
There is errors running podman (OCI permission denied) limiting the environment. Comment for now. See-Also: containers/crun#1388 Signed-off-by: Douglas Schilling Landgraf <[email protected]>
giuseppe
added a commit
to giuseppe/crun
that referenced
this issue
Jan 18, 2024
Linux commit 3ac1f01b43b6e2759cc34d3a715ba5eed04c5805, present in Linux 5.11, changed the way memory for eBPF programs is accounted. They do not use rlimit-based memory accounting anymore, buy memcg-based memory accounting. Closes: containers#1388 Signed-off-by: Giuseppe Scrivano <[email protected]>
|
opened a PR: #1391 |
This was referenced Jan 30, 2024
dougsland
added a commit
to containers/qm
that referenced
this issue
Jan 31, 2024
Recently we commented DropCapability due crun issue containers/crun#1388 got resolved. Fixes: #335 Signed-off-by: Douglas Schilling Landgraf <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We've been trying to run containers in a subcontainer (qm) that has dropped the sys_resource capability, but we then get:
bash-5.1# podman run -ti localhost/auto-apps bash
Error: crun: setrlimit (RLIM_MEMLOCK): Operation not permitted: OCI permission denied
This seems to be from
https://github.com/containers/crun/blob/14958f43c803aef3cd2f936e37cf404f6b9ebc64/src/libcrun/ebpf.c#L465C1-L470C67
which sets RLIMIT_MEMLOCK when it sets up the cgroupv2 version of device access.
Is this really needed?
The text was updated successfully, but these errors were encountered: