Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitf2f0237

Browse files
authored
fix(agent/agentcontainers): remove cap net admin from dev container agent executable (#18327)
1 parentae3882a commitf2f0237

File tree

2 files changed

+11
-12
lines changed

2 files changed

+11
-12
lines changed

‎agent/agentcontainers/api.go‎

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1062,20 +1062,23 @@ func (api *API) injectSubAgentIntoContainerLocked(ctx context.Context, dc coders
10621062

10631063
logger.Info(ctx,"copied agent binary to container")
10641064

1065-
// Make sure the agent binary is executable so we can run it.
1065+
// Make sure the agent binary is executable so we can run it (the
1066+
// user doesn't matter since we're making it executable for all).
10661067
if_,err:=api.ccli.ExecAs(ctx,container.ID,"root","chmod","0755",path.Dir(coderPathInsideContainer),coderPathInsideContainer);err!=nil {
10671068
returnxerrors.Errorf("set agent binary executable: %w",err)
10681069
}
1069-
// Set the owner of the agent binary to root:root (UID 0, GID 0).
1070-
if_,err:=api.ccli.ExecAs(ctx,container.ID,"root","chown","0:0",path.Dir(coderPathInsideContainer),coderPathInsideContainer);err!=nil {
1071-
returnxerrors.Errorf("set agent binary owner: %w",err)
1072-
}
10731070

10741071
// Attempt to add CAP_NET_ADMIN to the binary to improve network
10751072
// performance (optional, allow to fail). See `bootstrap_linux.sh`.
1076-
if_,err:=api.ccli.ExecAs(ctx,container.ID,"root","setcap","cap_net_admin+ep",coderPathInsideContainer);err!=nil {
1077-
logger.Warn(ctx,"set CAP_NET_ADMIN on agent binary failed",slog.Error(err))
1078-
}
1073+
// TODO(mafredri): Disable for now until we can figure out why this
1074+
// causes the following error on some images:
1075+
//
1076+
//Image: mcr.microsoft.com/devcontainers/base:ubuntu
1077+
// Error: /.coder-agent/coder: Operation not permitted
1078+
//
1079+
// if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "setcap", "cap_net_admin+ep", coderPathInsideContainer); err != nil {
1080+
// logger.Warn(ctx, "set CAP_NET_ADMIN on agent binary failed", slog.Error(err))
1081+
// }
10791082

10801083
// Detect workspace folder by executing `pwd` in the container.
10811084
// NOTE(mafredri): This is a quick and dirty way to detect the

‎agent/agentcontainers/api_test.go‎

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1276,8 +1276,6 @@ func TestAPI(t *testing.T) {
12761276
mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","mkdir","-p","/.coder-agent").Return(nil,nil),
12771277
mCCLI.EXPECT().Copy(gomock.Any(),"test-container-id",coderBin,"/.coder-agent/coder").Return(nil),
12781278
mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","chmod","0755","/.coder-agent","/.coder-agent/coder").Return(nil,nil),
1279-
mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","chown","0:0","/.coder-agent","/.coder-agent/coder").Return(nil,nil),
1280-
mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","setcap","cap_net_admin+ep","/.coder-agent/coder").Return(nil,nil),
12811279
)
12821280

12831281
mClock.Set(time.Now()).MustWait(ctx)
@@ -1333,8 +1331,6 @@ func TestAPI(t *testing.T) {
13331331
mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","mkdir","-p","/.coder-agent").Return(nil,nil),
13341332
mCCLI.EXPECT().Copy(gomock.Any(),"test-container-id",coderBin,"/.coder-agent/coder").Return(nil),
13351333
mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","chmod","0755","/.coder-agent","/.coder-agent/coder").Return(nil,nil),
1336-
mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","chown","0:0","/.coder-agent","/.coder-agent/coder").Return(nil,nil),
1337-
mCCLI.EXPECT().ExecAs(gomock.Any(),"test-container-id","root","setcap","cap_net_admin+ep","/.coder-agent/coder").Return(nil,nil),
13381334
)
13391335

13401336
// Terminate the agent and verify it is deleted.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp