Fix capabilities support.

Signed-off-by: Lantao Liu <lantaol@google.com>
2017-06-11 02:15:34 +00:00 · 2017-06-11 02:15:34 +00:00 · f247a0819d
commit f247a0819d
parent e9a930b28b
2 changed files with 5 additions and 4 deletions
--- a/pkg/server/container_start.go
+++ b/pkg/server/container_start.go
@ -467,14 +467,15 @@ func setOCICapabilities(g *generate.Generator, capabilities *runtime.Capability,
 		return nil
 	}

+	// Capabilities in CRI doesn't have `CAP_` prefix, so add it.
 	for _, c := range capabilities.GetAddCapabilities() {
-		if err := g.AddProcessCapability(c); err != nil {
+		if err := g.AddProcessCapability("CAP_" + c); err != nil {
 			return err
 		}
 	}

 	for _, c := range capabilities.GetDropCapabilities() {
-		if err := g.DropProcessCapability(c); err != nil {
+		if err := g.DropProcessCapability("CAP_" + c); err != nil {
 			return err
 		}
 	}
--- a/pkg/server/container_start_test.go
+++ b/pkg/server/container_start_test.go
@ -77,8 +77,8 @@ func getStartContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandboxC
 			},
 			SecurityContext: &runtime.LinuxContainerSecurityContext{
 				Capabilities: &runtime.Capability{
-					AddCapabilities:  []string{"CAP_SYS_ADMIN"},
-					DropCapabilities: []string{"CAP_CHOWN"},
+					AddCapabilities:  []string{"SYS_ADMIN"},
+					DropCapabilities: []string{"CHOWN"},
 				},
 				SupplementalGroups: []int64{1111, 2222},
 			},