tripleo

podman --cap-add --cap-drop ordering

Bug #1880212 reported by Grzegorz Grasza on 2020-05-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Invalid	Medium	Unassigned	tripleo victoria-1 "tripleo victoria"

Bug Description

Description
===========

podman_container.py ansible module (tripleo-ansible) is mixing up the ordering of arguments that are provided in yaml format.

The commonly recommended usage of the --cap-add and --cap-drop options for podman (or docker) is to first drop all capabilities with --cap-drop=all, then add those that are required with a series of --cap-add=<>

The ordering of those is important.

Steps to reproduce
==================

Run the following with "ansible-playbook logrotate_crond.yaml --check" on the undercloud

$ cat logrotate_crond.yaml
- hosts: localhost
  become: true
  tasks:
    - include_role:
        name: "{{ item }}"
      with_first_found:
        - "/usr/share/ansible/roles/tripleo_container_manage"
        - "/usr/share/ansible/roles/tripleo-container-manage"
      vars:
        tripleo_container_manage_systemd_order: true
        tripleo_container_manage_config_patterns: 'logrotate_crond.json'
        tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_4"
        tripleo_container_manage_config_id: "tripleo_step4"
        tripleo_container_manage_config_overrides:
          logrotate_crond:
            annotate: io.containers.trace-capabilities=true
            privileged: false
            cap_drop: all
            cap_add:
             - net_bind_service
             - setuid
             - setgid

(these are just random capabilities which will probably not work with this container)

Expected result
===============

The ordering of the arguments is preserved

Actual result
=============

--cap-drop=all ends up near the tail of the podman run command, whereas a series of --cap-add instructions are added near the head.

The ordering of cap_drop and cap_add can be switched in the yaml, which doesn't make any difference in the resulting podman run command.

Environment
===========

This was tested on train, but it will have the same result in master, since the implementation is the same.
$ git diff stable/train..master tripleo_ansible/ansible_plugins/modules/podman_container.py

Emilien Macchi (emilienm) on 2020-05-22

Changed in tripleo:
status:	New → Triaged
milestone:	none → victoria-1
importance:	Undecided → High
importance:	High → Medium

Revision history for this message

Sagi (Sergey) Shnaidman (sshnaidm) wrote on 2020-05-22:

It doesn't seems like order is important:

$ podman run --rm -it -d --name set1 --cap-add setuid --cap-add setgid --cap-drop all alpine sleep 1h
7348089e63cf0e1366aed71f5e15f429712095670afc74e9dd1bb9696999cfc8

$ podman run --rm -it -d --name set2 --cap-drop all --cap-add setuid --cap-add setgid alpine sleep 1h
cfcf0b6ca9ba589cb3a1734da6c6e5a69683ef85e991e91c101d1802fe2e371e

$ podman inspect set1 -f "{{ .EffectiveCaps }}"
[CAP_SETUID CAP_SETGID]

$ podman inspect set2 -f "{{ .EffectiveCaps }}"
[CAP_SETUID CAP_SETGID]

Sagi (Sergey) Shnaidman (sshnaidm) on 2020-05-22

Changed in tripleo:
status:	Triaged → Incomplete

Revision history for this message

Grzegorz Grasza (xek) wrote on 2020-05-25:

You're right, it looks like --cap-add all and --cap-drop all are special and they are applied before the other capabilities.

Changed in tripleo:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.