How do I grant the mlock syscall to a container invoked via "sudo rkt run" on CoreOs

Question

Running my app as below:

sudo rkt run --insecure-options=image --interactive --net=host ./myapp.aci

I get the message:

Failed to lock memory: cannot allocate memory

Which after some digging would seem to indicate that the container does not have the CAP_IPC_LOCK capability passed to it. I have dug into some of the documentation, but cannot find where I need to add configuration or any option to enable this. How do I do this?

score 3 · Accepted Answer · answered Apr 04 '16 at 09:29

ACIs can specify which caps they need in their manifest with an isolator of type os/linux/capabilities-retain-set.

To check if the manifest contains such an isolator, you can use actool:

$ actool cat-manifest --pretty-print ./myapp.aci

You might see the following:

    "isolators": [
        {
            "name": "os/linux/capabilities-retain-set",
            "value": {
                "set": [
                    "CAP_IPC_LOCK"
                ]
            }
        }
    ]

To add CAP_IPC_LOCK, you can use:

$ actool patch-manifest --capability=CAP_IPC_LOCK --replace ./myapp.aci

It is currently not possible to add a capability directly on the rkt run command line. I filed an issue on GitHub for this feature request: coreos/rkt#2371

Thanks, I had come to a conclusion close to this, but thought I'd give someone else a chance to answer it. I was unaware of the patch-manifest function before, I had set up my ACI build process to modify it with jq, thanks! I also found for it to work I also had to untar the ACI, use "setcap cap_ipc_lock=+ep" on the executable and then recreate the ACI using bsdtar in order for the capabilities of the executable to be preserved as acbuild copy did not keep these attributes in the initial ACI. Add this to your answer for completeness, or provide an alternative, and I'll accept it. — Benjamin, Apr 04 '16 at 09:37

score 3 · Answer 2 · answered Apr 04 '16 at 16:12

3

You can use acbuild to give your container the right capabilities.

If you're already using acbuild to make your ACI, just add this line to the build script:

echo '{ "set": ["CAP_IPC_LOCK"] }' | acbuild isolator add "os/linux/capabilities-retain-set" -

Or if you're not already using acbuild to make your ACI, you can modify an existing ACI by using the --modify flag. So the command would be:

echo '{ "set": ["CAP_IPC_LOCK"] }' | acbuild --modify path/to/your/app.aci isolator add "os/linux/capabilities-retain-set" -

answered Apr 04 '16 at 16:12

Derek Gonyeo

303
1
3
8

Useful to know that I can do this using acbuild, too. Any more info on whether "setcap cap_ipc_lock=+ep" status on the executable in the archive can be retained in any other way than by depackaging/setting capability/repackaging via bsdtar as per my comment to the other answer? – Benjamin Apr 04 '16 at 16:40
1

If there's a `setcap` binary in the ACI you can run it with `acbuild run`, but if not then I think the only way to do it is the bsdtar way. – Derek Gonyeo Apr 04 '16 at 16:50
Thanks, will see if there's an issue against acbuild for preserving cap flags on 'copy', and if not, open one. I'm going to award the answer to @Alban as that answer got there first on the isolator setting. – Benjamin Apr 05 '16 at 10:10

How do I grant the mlock syscall to a container invoked via "sudo rkt run" on CoreOs

2 Answers2