moby: capset() might randomly fail with -EPERM

Given how you don’t like me opening bugs against docker running on ARM I test the stuff on x86_64 now 😄

Freshly built 0.9.0 sometimes fails to start a container with: “finalize namespace drop capabilities operation not permitted”.

Containers: 4
Images: 64
Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Dirs: 72
Debug mode (server): true
Debug mode (client): false
Fds: 26
Goroutines: 30
Execution Driver: native-0.1
EventsListeners: 0
Kernel Version: 3.13.6-1-VF
Init SHA1: cfb0f0d26cdabf83f312543e21f8a529253bd4e6
Init Path: /usr/lib/docker/dockerinit
WARNING: No swap limit support

About this issue

  • Original URL
  • State: closed
  • Created 10 years ago
  • Comments: 63 (34 by maintainers)

Most upvoted comments

I’m still experimenting with that, but wrapping capsh around the actual payload should be ok. That doesn’t solve the problem with broken Dockerfiles’ RUN though.

+1
farcaller on Jun 5, 2014
Read more comments on GitHub
← moby: cap_set_file not permitted on aufs storage driver only
moby: cbfs driver causes 'hcsshim::PrepareLayer - failed failed in Win32: Incorrect function. (0x1)' →