synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-13 21:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(agent/agentcontainers): remove cap net admin from dev container agent executable (#18327)

Browse Source
This commit is contained in:
Mathias Fredriksson
2025-06-11 19:40:35 +03:00
committed by GitHub
parent ae3882a600
commit f2f0237082
2 changed files with 11 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
agent/agentcontainers/api.go
View File

@ -1062,20 +1062,23 @@ func (api *API) injectSubAgentIntoContainerLocked(ctx context.Context, dc coders
logger.Info(ctx, "copied agent binary to container")
// Make sure the agent binary is executable so we can run it.
// Make sure the agent binary is executable so we can run it (the
// user doesn't matter since we're making it executable for all).
if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "chmod", "0755", path.Dir(coderPathInsideContainer), coderPathInsideContainer); err != nil {
return xerrors.Errorf("set agent binary executable: %w", err)
}
// Set the owner of the agent binary to root:root (UID 0, GID 0).
if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "chown", "0:0", path.Dir(coderPathInsideContainer), coderPathInsideContainer); err != nil {
return xerrors.Errorf("set agent binary owner: %w", err)
}
// Attempt to add CAP_NET_ADMIN to the binary to improve network
// performance (optional, allow to fail). See `bootstrap_linux.sh`.
if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "setcap", "cap_net_admin+ep", coderPathInsideContainer); err != nil {
logger.Warn(ctx, "set CAP_NET_ADMIN on agent binary failed", slog.Error(err))
}
// TODO(mafredri): Disable for now until we can figure out why this
// causes the following error on some images:
//
// Image: mcr.microsoft.com/devcontainers/base:ubuntu
// Error: /.coder-agent/coder: Operation not permitted
//
// if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "setcap", "cap_net_admin+ep", coderPathInsideContainer); err != nil {
// logger.Warn(ctx, "set CAP_NET_ADMIN on agent binary failed", slog.Error(err))
// }
// Detect workspace folder by executing `pwd` in the container.
// NOTE(mafredri): This is a quick and dirty way to detect the

4
agent/agentcontainers/api_test.go
View File

@ -1276,8 +1276,6 @@ func TestAPI(t *testing.T) {
mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "mkdir", "-p", "/.coder-agent").Return(nil, nil),
mCCLI.EXPECT().Copy(gomock.Any(), "test-container-id", coderBin, "/.coder-agent/coder").Return(nil),
mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "chmod", "0755", "/.coder-agent", "/.coder-agent/coder").Return(nil, nil),
mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "chown", "0:0", "/.coder-agent", "/.coder-agent/coder").Return(nil, nil),
mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "setcap", "cap_net_admin+ep", "/.coder-agent/coder").Return(nil, nil),
)
mClock.Set(time.Now()).MustWait(ctx)
@ -1333,8 +1331,6 @@ func TestAPI(t *testing.T) {
mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "mkdir", "-p", "/.coder-agent").Return(nil, nil),
mCCLI.EXPECT().Copy(gomock.Any(), "test-container-id", coderBin, "/.coder-agent/coder").Return(nil),
mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "chmod", "0755", "/.coder-agent", "/.coder-agent/coder").Return(nil, nil),
mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "chown", "0:0", "/.coder-agent", "/.coder-agent/coder").Return(nil, nil),
mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "setcap", "cap_net_admin+ep", "/.coder-agent/coder").Return(nil, nil),
)
// Terminate the agent and verify it is deleted.