NotificationsYou must be signed in to change notification settings
Fork913
Star10.1k

Commitf2f0237

authored

fix(agent/agentcontainers): remove cap net admin from dev container agent executable (#18327)

1 parentae3882a commitf2f0237Copy full SHA for f2f0237

File tree

2 files changed

+11

-12

lines changed

agent/agentcontainers
- api.go
- api_test.go

2 files changed

+11

-12

lines changed

`‎agent/agentcontainers/api.go`

Lines changed: 11 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -1062,20 +1062,23 @@ func (api *API) injectSubAgentIntoContainerLocked(ctx context.Context, dc coders`
`1062`	`1062`
`1063`	`1063`	`logger.Info(ctx,"copied agent binary to container")`
`1064`	`1064`
`1065`		`-// Make sure the agent binary is executable so we can run it.`
	`1065`	`+// Make sure the agent binary is executable so we can run it (the`
	`1066`	`+// user doesn't matter since we're making it executable for all).`
`1066`	`1067`	`if_,err:=api.ccli.ExecAs(ctx,container.ID,"root","chmod","0755",path.Dir(coderPathInsideContainer),coderPathInsideContainer);err!=nil {`
`1067`	`1068`	`returnxerrors.Errorf("set agent binary executable: %w",err)`
`1068`	`1069`	`}`
`1069`		`-// Set the owner of the agent binary to root:root (UID 0, GID 0).`
`1070`		`-if_,err:=api.ccli.ExecAs(ctx,container.ID,"root","chown","0:0",path.Dir(coderPathInsideContainer),coderPathInsideContainer);err!=nil {`
`1071`		`-returnxerrors.Errorf("set agent binary owner: %w",err)`
`1072`		`-}`
`1073`	`1070`
`1074`	`1071`	`// Attempt to add CAP_NET_ADMIN to the binary to improve network`
`1075`	`1072`	// performance (optional, allow to fail). See `bootstrap_linux.sh`.
`1076`		`-if_,err:=api.ccli.ExecAs(ctx,container.ID,"root","setcap","cap_net_admin+ep",coderPathInsideContainer);err!=nil {`
`1077`		`-logger.Warn(ctx,"set CAP_NET_ADMIN on agent binary failed",slog.Error(err))`
`1078`		`-}`
	`1073`	`+// TODO(mafredri): Disable for now until we can figure out why this`
	`1074`	`+// causes the following error on some images:`
	`1075`	`+//`
	`1076`	`+//Image: mcr.microsoft.com/devcontainers/base:ubuntu`
	`1077`	`+// Error: /.coder-agent/coder: Operation not permitted`
	`1078`	`+//`
	`1079`	`+// if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "setcap", "cap_net_admin+ep", coderPathInsideContainer); err != nil {`
	`1080`	`+// logger.Warn(ctx, "set CAP_NET_ADMIN on agent binary failed", slog.Error(err))`
	`1081`	`+// }`
`1079`	`1082`
`1080`	`1083`	// Detect workspace folder by executing `pwd` in the container.
`1081`	`1084`	`// NOTE(mafredri): This is a quick and dirty way to detect the`

`‎agent/agentcontainers/api_test.go`

Lines changed: 0 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1276,8 +1276,6 @@ func TestAPI(t *testing.T) {`
`1276`	`1276`	`mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","mkdir","-p","/.coder-agent").Return(nil,nil),`
`1277`	`1277`	`mCCLI.EXPECT().Copy(gomock.Any(),"test-container-id",coderBin,"/.coder-agent/coder").Return(nil),`
`1278`	`1278`	`mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","chmod","0755","/.coder-agent","/.coder-agent/coder").Return(nil,nil),`
`1279`		`-mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","chown","0:0","/.coder-agent","/.coder-agent/coder").Return(nil,nil),`
`1280`		`-mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","setcap","cap_net_admin+ep","/.coder-agent/coder").Return(nil,nil),`
`1281`	`1279`	`)`
`1282`	`1280`
`1283`	`1281`	`mClock.Set(time.Now()).MustWait(ctx)`
`@@ -1333,8 +1331,6 @@ func TestAPI(t *testing.T) {`
`1333`	`1331`	`mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","mkdir","-p","/.coder-agent").Return(nil,nil),`
`1334`	`1332`	`mCCLI.EXPECT().Copy(gomock.Any(),"test-container-id",coderBin,"/.coder-agent/coder").Return(nil),`
`1335`	`1333`	`mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","chmod","0755","/.coder-agent","/.coder-agent/coder").Return(nil,nil),`
`1336`		`-mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","chown","0:0","/.coder-agent","/.coder-agent/coder").Return(nil,nil),`
`1337`		`-mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","setcap","cap_net_admin+ep","/.coder-agent/coder").Return(nil,nil),`
`1338`	`1334`	`)`
`1339`	`1335`
`1340`	`1336`	`// Terminate the agent and verify it is deleted.`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf2f0237

File tree

2 files changed

2 files changed

`‎agent/agentcontainers/api.go`

`‎agent/agentcontainers/api_test.go`

0 commit comments