-
Bug
-
Resolution: Done
-
Critical
-
None
-
4.11
Description of problem:
Can not run "ip link set lo down" inside OCP 4.11 Pod even though the capabilities have been set against the binary
Version-Release number of selected component (if applicable):
OpenShift 4.11
How reproducible:
100%
Steps to Reproduce:
1. Create such Dockerfile FROM registry.access.redhat.com/ubi8/ubi:8.5 RUN dnf install -y iputils net-tools iproute RUN setcap cap_net_admin+ep /usr/sbin/ip CMD sleep infinity 2. Create such Pod apiVersion: v1 kind: Pod metadata: name: testpod spec: containers: - name: appcntr1 image: quay.io/rhn_support_cchen/iplink:v1.0 # iplink:v1.0 is built with the above Dockerfile imagePullPolicy: IfNotPresent command: [ "/bin/bash", "-c", "--" ] args: [ "while true; do sleep 300000; done;" ] securityContext: runAsGroup: 9999 runAsUser: 9999 capabilities: add: ["NET_ADMIN"] 3. Check the result $ oc get pods NAME READY STATUS RESTARTS AGE testpod 1/1 Running 0 5m17s $ oc rsh testpod ip link set lo up RTNETLINK answers: Operation not permitted
Actual results:
$ oc rsh testpod ip link set lo up RTNETLINK answers: Operation not permitted
Expected results:
ip link set lo up should succeed
Additional info:
This issue is blocking Nokia to run test on OCP 4.11 for their solution
- is cloned by
-
-
- Closed
-
- links to