set file capabilities on some iptables executables #31207
Conversation
| @@ -70,6 +71,18 @@ pipeline: | |||
| install -D -m644 ebtables.confd "${{targets.destdir}}"/etc/conf.d/ebtables | |||
|
|
|||
| subpackages: | |||
| - name: iptables-privileged | |||
There was a problem hiding this comment.
the patch is in draft mode because we can discuss more on the package name here. I was thinking if we can name it as iptables-linkerd-compat similar to our bitnami variant of package where we name a package as *-bitnami-compat
Signed-off-by: kranurag7 <81210977+kranurag7@users.noreply.github.com>
kranurag7
force-pushed
the
kr/iptables-linkerd
branch
from
91aedb8
to
af6dd6d
Compare
|
package update config check issue looks like one off and elastic build logs looks good from a quick skim. |
There was a problem hiding this comment.
I am not sure if it has to be a separate package or not.
If container is in a username space those capabilities will not grant anything.
If docker / containerd / k8s / bubble wrap / flat pack / nspawn gave the namespace network capability things will just work.
I will check what other things use, but it is safer to grant capability on select binaries, rather than all binaries in a container / whole container. Cause I would have hoped we can get away with creating duplicate package because of permission settings like this.
Signed-off-by: kranurag7 <81210977+kranurag7@users.noreply.github.com>
these file capabilities are required by linkerd-proxy-init at runtime to run as non-root user with UID of 65532.