Skip to content

Commit

Permalink
✨Propagate capabilities to correct processes (#4225)
Browse files Browse the repository at this point in the history
  • Loading branch information
@GitHK
GitHK authored May 11, 2023
1 parent d9fd2da commit 75141d1
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 0 deletions.
3 changes: 3 additions & 0 deletions ...2/src/simcore_service_director_v2/modules/dynamic_sidecar/docker_service_specs/sidecar.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,9 @@ def get_dynamic_sidecar_spec(
"Hosts": [],
"Image": dynamic_sidecar_settings.DYNAMIC_SIDECAR_IMAGE,
"Init": True,
"CapabilityAdd": [
"CAP_LINUX_IMMUTABLE",
],
"Labels": {
# NOTE: these labels get on the tasks and that is also useful to trace
"user_id": f"{scheduler_data.user_id}",
Expand Down
1 change: 1 addition & 0 deletions ...ices/director-v2/tests/unit/with_dbs/test_modules_dynamic_sidecar_docker_service_specs.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,7 @@ def expected_dynamic_sidecar_spec(
"STORAGE_HOST": "storage",
"STORAGE_PORT": "8080",
},
"CapabilityAdd": ["CAP_LINUX_IMMUTABLE"],
"Hosts": [],
"Image": "local/dynamic-sidecar:MOCK",
"Init": True,
Expand Down
1 change: 1 addition & 0 deletions services/dynamic-sidecar/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ RUN --mount=type=cache,id=basecache,target=/var/cache/apt,mode=0755,sharing=loc
apt-get install -y --no-install-recommends\
curl \
gosu \
libcap2-bin \
ca-certificates \
# required by python-magic
libmagic1 \
Expand Down
8 changes: 8 additions & 0 deletions services/dynamic-sidecar/docker/entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,4 +110,12 @@ echo " $SC_USER_NAME rights : $(id "$SC_USER_NAME")"
echo " local dir : $(ls -al)"
echo " volumes dir : $(ls -al "${DYNAMIC_SIDECAR_DY_VOLUMES_MOUNT_DIR}")"

echo "$INFO" "Available permissions"
capsh --print

PYTHON_BINARY=$(readlink --canonicalize $(which python))
echo "$INFO" "Granting ${PYTHON_BINARY} CAP_LINUX_IMMUTABLE"
setcap 'cap_linux_immutable+ep' "${PYTHON_BINARY}"
getcap "${PYTHON_BINARY}"

exec gosu "$SC_USER_NAME" "$@"

0 comments on commit 75141d1

Please sign in to comment.