Switch to github.com/moby/sys/capability#777
Merged
cyphar merged 1 commit intoopencontainers:masterfrom May 23, 2025
Merged
Conversation
This was referenced Sep 25, 2024
Member
|
@kolyshkin looks like you need to fix vendoring; |
Open
Member
|
@kolyshkin gentle nudge 😄 |
Contributor
Author
|
@thaJeztah @cyphar sorry for the delay; this is now ready |
This was referenced Mar 1, 2025
kolyshkin
added a commit
to kolyshkin/canonical-lxd
that referenced
this pull request
Mar 1, 2025
The github.com/moby/sys/capability package is a fork of the original one, which is apparently no longer maintained. For changes since the fork took place, see https://github.com/moby/sys/blob/main/capability/CHANGELOG.md (The indirect dependency still remains because of runtime-tools; this is being fixed in opencontainers/runtime-tools#777). Signed-off-by: Kir Kolyshkin <[email protected]>
This was referenced Mar 1, 2025
Member
No strong opinions; I know Moby has dropped support for RHEL6 a long time ago, and I'm not sure if anyone would still be depending on this (I highly doubt other runtimes would still take RHEL6 into account). |
Member
|
@kolyshkin this needs another rebase 🙈 |
kolyshkin
added a commit
to kolyshkin/canonical-lxd
that referenced
this pull request
Mar 9, 2025
The github.com/moby/sys/capability package is a fork of the original one, which is apparently no longer maintained. For changes since the fork took place, see https://github.com/moby/sys/blob/main/capability/CHANGELOG.md (The indirect dependency still remains because of runtime-tools; this is being fixed in opencontainers/runtime-tools#777). Signed-off-by: Kir Kolyshkin <[email protected]>
The github.com/moby/sys/capability package is a fork of the original
one, which apparently is no longer maintained.
Also, bump Go to 1.21 as this is a minimally supported version for
github.com/moby/sys/capability, and update CI accordingly.
Note that "workaround for RHEL6" is removed for a number of reasons.
Feel free to choose the one you like the most, either is sufficient:
1. /proc/sys/kernel/cap_last_cap is available since RHEL 6.7
(kernel 2.6.32-573.el6), released 9 years ago (2015-07-22).
2. It incorrectly returns CAP_BLOCK_SUSPEND (36), which was only added
in kernel v3.5 and was never backported to RHEL6 kernels. The
correct value for RHEL6 would be CAP_MAC_ADMIN (33).
3. As far as upstream kernels go, /proc/sys/kernel/cap_last_cap was
added in kernel v3.2, and a correct value depends on the kernel
version. It could be CAP_WAKE_ALARM (35), added to kernel v3.0, or
CAP_SYSLOG (34), added to kernel v2.6.38, or possibly a lesser value
for even older kernels.
Signed-off-by: Kir Kolyshkin <[email protected]>
Contributor
Author
|
Rebased |
Contributor
Author
I just did a detailed writeup on this because removing a hack always looks suspicious and raises some questions (and so I'm answering those in advance). I'm 100% sure this is no longer needed (even for RHEL6). |
Contributor
|
LGTM |
mihalicyn
pushed a commit
to kolyshkin/canonical-lxd
that referenced
this pull request
Mar 17, 2025
The github.com/moby/sys/capability package is a fork of the original one, which is apparently no longer maintained. For changes since the fork took place, see https://github.com/moby/sys/blob/main/capability/CHANGELOG.md (The indirect dependency still remains because of runtime-tools; this is being fixed in opencontainers/runtime-tools#777). Signed-off-by: Kir Kolyshkin <[email protected]> GPG signed by Alexander Mikhalitsyn Signed-off-by: Alexander Mikhalitsyn <[email protected]>
tomponline
added a commit
to canonical/lxd
that referenced
this pull request
Mar 17, 2025
The github.com/moby/sys/capability package is a fork of the original one, which is apparently no longer maintained. For changes since the fork took place, see https://github.com/moby/sys/blob/main/capability/CHANGELOG.md (The indirect dependency still remains because of runtime-tools; this is being fixed in opencontainers/runtime-tools#777). Related to: moby/sys#183
tomponline
pushed a commit
to tomponline/lxd
that referenced
this pull request
Apr 15, 2025
The github.com/moby/sys/capability package is a fork of the original one, which is apparently no longer maintained. For changes since the fork took place, see https://github.com/moby/sys/blob/main/capability/CHANGELOG.md (The indirect dependency still remains because of runtime-tools; this is being fixed in opencontainers/runtime-tools#777). Signed-off-by: Kir Kolyshkin <[email protected]> GPG signed by Alexander Mikhalitsyn Signed-off-by: Alexander Mikhalitsyn <[email protected]> (cherry picked from commit 1f4af84)
cyphar
approved these changes
May 23, 2025
Member
|
Lucky number 777 😸 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently a draft pending #776 merge.The github.com/moby/sys/capability package is a fork of the original
one, which is apparently no longer maintained.
For changes since the fork took place, see
https://github.com/moby/sys/blob/main/capability/CHANGELOG.md
Related to: moby/sys#183
Also, bump Go to 1.21 as this is a minimally supported version for
github.com/moby/sys/capability, and update CI accordingly.
Note that "workaround for RHEL6" is removed for a number of reasons.
Feel free to choose the one you like the most, either is sufficient:
/proc/sys/kernel/cap_last_cap is available since RHEL 6.7
(kernel 2.6.32-573.el6), released 9 years ago (2015-07-22).
It incorrectly returns CAP_BLOCK_SUSPEND (36), which was only added
in kernel v3.5 and was never backported to RHEL6 kernels. The
correct value for RHEL6 would be CAP_MAC_ADMIN (33).
As far as upstream kernels go, /proc/sys/kernel/cap_last_cap was
added in kernel v3.2, and a correct value depends on the kernel
version. It could be CAP_WAKE_ALARM (35), added to kernel v3.0, or
CAP_SYSLOG (34), added to kernel v2.6.38, or possibly a lesser value
for even older kernels.