FS#74558 - [minio] optionally set capabilities for unprivileged containers

Attached to Project: Community Packages
Opened by Stuart Cardall (itoffshore) - Monday, 25 April 2022, 20:11 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Friday, 30 December 2022, 08:57 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Sven-Hendrik Haase (Svenstaro)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: Improvement: optionally set capabilities for unprivileged containers (in post-install)

Additional info:

When minio is run in an unprivileged LXD container the following needs to be set to run
the service as the unprivileged minio user:

setcap cap_net_bind_service=+ep /usr/bin/minio

this could be set in a post-install script if a uid mapping is detected:
------------------------------------------------------------------------

#!/bin/sh

uid_map=$(head -1 /proc/self/uid_map)
host_uid=$(echo $uid_map | awk '{print $1}')
ctr_uid=$(echo $uid_map | awk '{print $2}')

if [ $host_uid -ne $ctr_uid ]; then
setcap cap_net_bind_service=+ep /usr/bin/minio
fi

--------------------------------------------------

I've attached a screenshot showing the uid_map of an Arch LXD container
& a bare metal Arch system.


   Screenshot_2022-04-25_19-57-5... (43.4 KiB)
This task depends upon

Closed by  Sven-Hendrik Haase (Svenstaro)
Friday, 30 December 2022, 08:57 GMT
Reason for closing:  No response
Additional comments about closing:  Feel free to request to reopen if there's still interest from your side. I want to make sure this change makes sense for the distribution but currently I don't really think this should be done in the suggested way.
Comment by Sven-Hendrik Haase (Svenstaro) - Sunday, 31 July 2022, 19:14 GMT
I don't really see a case here for changing the package for a fairly specific use case. This will likely also need to be done consistently for other packages. I think users for this case are better off changing it downstream where required.

I'll leave this open for discussion, maybe I'm misunderstanding something here.

Loading...