Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERROR: missing CAP_SYS_ADMIN via docker-compose #80

Open
MichaelAntonFischer opened this issue Mar 10, 2023 · 7 comments
Open

ERROR: missing CAP_SYS_ADMIN via docker-compose #80

MichaelAntonFischer opened this issue Mar 10, 2023 · 7 comments

Comments

@MichaelAntonFischer
Copy link

Tried to run the container via your example docker-compose.yml, but get below error:

==================================================================
SETTING UP ...

/usr/local/bin/entrypoint.sh: line 276: capsh: command not found
---->
----> ERROR: missing CAP_SYS_ADMIN. be sure to run this image with --cap-add SYS_ADMIN or --privileged
---->

Also tried making the container privileged and verified it is privileged, but same error.
@MichaelAntonFischer
Copy link
Author

Update:

Managed to get it to work with docker run instead of compose, now I get:

  STARTING SERVICES ...

==================================================================
mount: mounting rpc_pipefs on /var/lib/nfs/rpc_pipefs failed: Permission denied
---->
----> ERROR: unable to mount rpc_pipefs filesystem onto /var/lib/nfs/rpc_pipefs
---->

@MichaelAntonFischer
Copy link
Author

Checking the references, this error seems to also be due to CAP_NET_ADMIN missing, even though Docker tells me my container has it set... could there be any reason why docker cannot set NET_ADMIN?

@xZero707
Copy link

xZero707 commented Mar 28, 2023
edited

Duplicate of #66

Please take a look at PR #67 for the solution (unmerged).

@MichaelAntonFischer
Copy link
Author

No, sorry it's not a duplicate. Tried your repository, running via docker-compose I still get the error, with both cap_add or privileged: true

xZero707 added a commit to N0rthernL1ghts/docker-nfs-server that referenced this issue Apr 4, 2023
@xZero707
Use Alpine 3.17 as base and fix ehough#80
bee3e90 
In Alpine 3.17, capsh is provided by package libcap-utils, so installing nfs-utils alone is not enough
@xZero707
Copy link

xZero707 commented Apr 4, 2023
edited

You are correct. My bad. Fixed here.

@rivaros
Copy link

rivaros commented Sep 30, 2023

@xZero707 that would still not work with --privileged on M1 silicon, though works with --cap-add SYS_ADMIN

capsh --print output with --privileged:

CAPABILITIES
Current: =ep cap_perfmon,cap_bpf,cap_checkpoint_restore-ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Ambient set =
Current IAB: !cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
Guessed mode: HYBRID (4)

capsh --print output with --cap-add SYS_ADMIN:

CAPABILITIES
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
Guessed mode: HYBRID (4)

capsh --print output without anything:`

CAPABILITIES
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
Guessed mode: HYBRID (4)

@rivaros
Copy link

rivaros commented Sep 30, 2023

=ep means it has all capabilities from Bounding set (that's where cap_sys_admin is)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rivaros @xZero707 @MichaelAntonFischer