fix(agent/agentcontainers): remove cap net admin from dev container agent executable (#18327)

agent/agentcontainers/api.go

@@ -1062,20 +1062,23 @@ func (api *API) injectSubAgentIntoContainerLocked(ctx context.Context, dc coders
 
 	logger.Info(ctx, "copied agent binary to container")
 
-	// Make sure the agent binary is executable so we can run it.
+	// Make sure the agent binary is executable so we can run it (the
+	// user doesn't matter since we're making it executable for all).
 	if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "chmod", "0755", path.Dir(coderPathInsideContainer), coderPathInsideContainer); err != nil {
 		return xerrors.Errorf("set agent binary executable: %w", err)
 	}
-	// Set the owner of the agent binary to root:root (UID 0, GID 0).
-	if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "chown", "0:0", path.Dir(coderPathInsideContainer), coderPathInsideContainer); err != nil {
-		return xerrors.Errorf("set agent binary owner: %w", err)
-	}
 
 	// Attempt to add CAP_NET_ADMIN to the binary to improve network
 	// performance (optional, allow to fail). See `bootstrap_linux.sh`.
-	if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "setcap", "cap_net_admin+ep", coderPathInsideContainer); err != nil {
-		logger.Warn(ctx, "set CAP_NET_ADMIN on agent binary failed", slog.Error(err))
-	}
+	// TODO(mafredri): Disable for now until we can figure out why this
+	// causes the following error on some images:
+	//
+	//	Image: mcr.microsoft.com/devcontainers/base:ubuntu
+	// 	Error: /.coder-agent/coder: Operation not permitted
+	//
+	// if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "setcap", "cap_net_admin+ep", coderPathInsideContainer); err != nil {
+	// 	logger.Warn(ctx, "set CAP_NET_ADMIN on agent binary failed", slog.Error(err))
+	// }
 
 	// Detect workspace folder by executing `pwd` in the container.
 	// NOTE(mafredri): This is a quick and dirty way to detect the