How do I add Linux capabilities SYS_NICE and DAC_READ_SEARCH to container in AWS Fargate?

Question

I'm trying to setup a task definition in ECS Fargate for running Koha containers but Fargate won't accept

--cap-add=SYS_NICE --cap-add=DAC_READ_SEARCH

(or any other kernel capabilities except for SYS_PTRACE) in the task definition json file. I tried adding "linuxParameters": {"capabilities": { "add": [ "SYS_NICE", "DAC_READ_SEARCH"],to the task definition json file but Fargate simply deletes the code. The mpm_itk module fails without this option (and my container throws an 500 error with the following warning/error in the logs

[mpm_itk:warn] [pid 17146] (itkmpm: pid=17146 uid=33, gid=33) itk_post_perdir_config(): setgid(1000): Operation not permitted

How do I work around this? Is there a way to pass on these capabilities after the container has started up? Any help will be appreciated, thanks!

score 0 · Answer 1 · answered Jan 18 '21 at 01:10

0

According to AWS Fargate only allows you to add the SYS_PTRACE kernel capability. It is not possible to add any other capabilities at the moment. The only viable workaround that I can see working is to use ECS EC2.

answered Jan 18 '21 at 01:10

grandmaestr

139
4

score 0 · Answer 2 · answered Feb 11 '22 at 04:24

The container created by docker runc is bounded by capability flag i.e.

0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap

The container can get the capabilities from this set only.

How do I add Linux capabilities SYS_NICE and DAC_READ_SEARCH to container in AWS Fargate?

2 Answers2