[
https://issues.apache.org/jira/browse/DAEMON-426?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243002#comment-17243002
]
Mark Thomas commented on DAEMON-426:
------------------------------------
A quick look at the source suggests that that capability is required. It may be
we can move the logic around to not request the capability when it is not
required. The full command line used by the OP to call jsvc in the docker
container would be helpful.
As an aside, it also looks like there is some code for compatibility with very
old Linux kernels that we could remove now.
> CAP_DAC_READ_SEARCH not allowed in containers by default
> --------------------------------------------------------
>
> Key: DAEMON-426
> URL: https://issues.apache.org/jira/browse/DAEMON-426
> Project: Commons Daemon
> Issue Type: Bug
> Components: Jsvc
> Affects Versions: 1.2.2
> Environment: Redhat 7; jsvc 1.2.3
> Reporter: Sheridan Rawlins
> Priority: Major
>
> jsvc tries to get {{CAP_DAC_READ_SEARCH}} capabilities. The code says [Fix
> DAEMON-16 by adding CAP_DAC_READ_SEARCH to allow reading
> /proc/self|https://github.com/apache/commons-daemon/commit/2090bd1586f30f4a72ab192df6b7e7f9f5548922#diff-71c2181bdc541da57b93eb9c43851baa9457ca97e6cf1e9f8ee1c280d273ca5a]
> but does anyone still need this? It fails on docker containers in kubernetes
> unless admins allow that capability to be requested.
> I tried compiling it without this flag and it seems to run everything just
> fine - but to not break anyone who might really need this CAP, perhaps some
> command line switch could be added to adjust what capabilities are requested
> generally, or at the very least specifically whether to not alter that
> CAP_DAC_READ_SEARCH cap.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
