Skip to content

Commit

Permalink
CAP_DAC_OVERRIDE no longer needed by non-root to interact with NSM
Browse files Browse the repository at this point in the history 
Since NSM v1.5 CAP_DAC_OVERRIDE capability is no longer required to
interact with the nsm-sock mounted as hostPath volume.
networkservicemesh/cmd-nsmgr#510

Affected images: proxy, load-balancer, TAPA, NSC
(The official NSM cmd-nsc image can be used again. No need for a custom
Dockerfile, unless e.g. ping is required to work.)

Note: New images will NOT work on older NSM versions
  • Loading branch information
@zolug
zolug committed Aug 9, 2022
1 parent 195f88c commit 6292b15
Show file tree
Hide file tree
Showing 3 changed files with 2 additions and 9 deletions.
4 changes: 1 addition & 3 deletions build/load-balancer/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,7 @@ RUN addgroup --gid $UID $USER \
WORKDIR $HOME
COPY --from=build /app/load-balancer .
COPY --from=lb-builder /bin/nfqlb /bin/nfqlb
# cap_dac_override required by non-root user because of nsm-socket hostPath file permissions
# (while file permissions of hostPath unix spire-agent-socket grant "write" access for "others")
RUN setcap 'cap_net_admin,cap_dac_override+ep' ./load-balancer \
RUN setcap 'cap_net_admin+ep' ./load-balancer \
&& chown root:root /bin/nfqlb && setcap 'cap_net_admin,cap_ipc_lock,cap_ipc_owner+ep' /bin/nfqlb \
&& setcap 'cap_net_admin+ep' /usr/sbin/nft
USER ${UID}:${UID}
Expand Down
4 changes: 1 addition & 3 deletions build/proxy/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,6 @@ RUN addgroup --gid $UID $USER \
&& chown -R :root "${HOME}" && chmod -R g+s=u "${HOME}"
WORKDIR $HOME
COPY --from=build /app/proxy .
# cap_dac_override required by non-root user because of nsm-socket hostPath file permissions
# (while file permissions of hostPath unix spire-agent-socket grant "write" access for "others")
RUN setcap 'cap_net_admin,cap_dac_override+ep' ./proxy
RUN setcap 'cap_net_admin+ep' ./proxy
USER ${UID}:${UID}
CMD ["./proxy"]
3 changes: 0 additions & 3 deletions build/tapa/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,5 @@ RUN addgroup --gid $UID $USER \
&& chown -R :root "${HOME}" && chmod -R g+s=u "${HOME}"
WORKDIR $HOME
COPY --from=build /app/tapa .
# cap_dac_override required by non-root user because of nsm-socket hostPath file permissions
# (while file permissions of hostPath unix spire-agent-socket grant "write" access for "others")
RUN setcap 'cap_dac_override+ep' ./tapa
USER ${UID}:${UID}
CMD ["./tapa"]

0 comments on commit 6292b15

Please sign in to comment.