kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity
moby--moby/oci
History
Sebastiaan van Stijn a38b96b8cd
Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE 
This prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up.

While these kernels support these capabilities, the current release of
runc ships with an older version of /gocapability/capability, and does
not know about them, causing an error to be produced.

We can remove this restriction once 6dfbe9b807
is included in a runc release and once we stop supporting containerd 1.3.x
(which ships with runc v1.0.0-rc92).

Thanks to Anca Iordache for reporting.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 		2020-10-16 17:52:27 +02:00
..
caps Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE 2020-10-16 17:52:27 +02:00
fixtures oci: add tests for loading seccomp profiles 2020-09-29 20:15:43 +02:00
defaults.go Move DefaultCapabilities() to caps package 2019-11-14 21:13:16 +02:00
devices_linux.go vendor runc 67169a9d43456ff0d5ae12b967acb8e366e2f181 2020-07-30 16:16:11 +00:00
devices_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
namespaces.go goimports: fix imports 2019-09-18 12:56:54 +02:00
oci.go Capabilities refactor 2019-01-22 21:50:41 +02:00
seccomp_test.go oci: add tests for loading seccomp profiles 2020-09-29 20:15:43 +02:00