Add SETFCAP Linux capability for Kaniko buildstrategy

[zhangtbj]

We had a customer problem when build a source code repo from: https://github.com/nheidloff/code-with-quarkus/blob/master/src/main/docker/Dockerfile.multistage

This build fail at the step microdnf update:

It will fail at step-step-build-and-push step, and the final error is:

...
Cleanup: libgcc;8.3.1-4.5.el8;x86_64;installed
Updating: (null)
Updating: (null)
error: Error -1 running transaction
error building image: error building stage: failed to execute command: waiting for process to exit: exit status 1

Finally, I found the root cause. We didn't enable a Linux Capability setfcap in the Kaniko build strategy, without this permission, some system installations cannot work. I added it and test, the build works for me:

jordanzt@bogon:~/Works/workspaces/gopath/src/github.com/zhangtbj/code-with-quarkus$ kubectl get buildrun
NAME                 SUCCEEDED   REASON      STARTTIME   COMPLETIONTIME
microdnf-run-l7bpt   True        Succeeded   14m         12m

And the deployment which is based on this image also works fine, You can see my application screenshot below:

Here is the introduction about this setfcap Linux Capability:

       CAP_SETFCAP (since Linux 2.6.24)
              Set arbitrary capabilities on a file.

• In: https://man7.org/linux/man-pages/man7/capabilities.7.html

setfcap
Finally, the setfcap capability allows you to set file capabilities on a file system. Might be needed for doing installs during builds, but in production it should probably be dropped.

• In: https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick

From the info, it is not very risky for us to enable this permission, it is just used to set file capabilities on a file system. And we also see some of the user cases are install something by using microdnf or apt-get, so it should be a valid scenario.

[adambkaplan]

Another capability to consider adding to Kaniko and Buildah by default is MKNOD. Some packages create device nodes during apt-get or dnf install.

See Sascha Grunert and Dan Walsh's talk from KubeCon EU 2020: https://youtu.be/RoiIx8mcECY?t=1479

[qu1queee]

good stuff @adambkaplan , i was looking for this type of information

[SaschaSchwarze0]

Another capability to consider adding to Kaniko and Buildah by default is MKNOD. Some packages create device nodes during apt-get or dnf install.

See Sascha Grunert and Dan Walsh's talk from KubeCon EU 2020: https://youtu.be/RoiIx8mcECY?t=1479

Good mention. Unfortunately, not very detailed information on what exactly fails. The interesting point imo now is whether the packages that need this capability during installation are relevant for a reasonable image build. Googling only pointed me to makedev, for example apt-get upgrade fails due to makedev errors #80 and makedev installation fails on Docker containers. But, it's always difficult to find information about capabilities that are given by default.

Other question: should we block this PR which is about SETFCAP to discuss other capabilities or should we separate it?

[SaschaSchwarze0]

Approving as discussed in October 5th, 2020 Community Meeting #418 .

/lgtm
/approve

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SaschaSchwarze0

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [SaschaSchwarze0]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment