Adding setcap to the Dockerfile causes the HasModifiedFiles check in Preflight 1.6.1 to fail

Question

Adding setcap to the Dockerfile causes the HasModifiedFiles check in Preflight 1.6.1 to fail

tkrishtop opened this issue a year ago · 3 comments

tkrishtop commented a year ago

Bug Description

Adding setcap to the Dockerfile causes the HasModifiedFiles check in Preflight 1.6.1 to fail.

Version and Command Invocation

1.6.1

Steps to Reproduce:

Build an image quay.io/tkrishtop/setcap-example:v0.0.2 using the Dockerfile below:

FROM registry.access.redhat.com/ubi8/ubi:8.7-1112

RUN microdnf -y install iptables && \
    microdnf clean all

RUN setcap CAP_NET_ADMIN,CAP_NET_RAW+eip /usr/sbin/xtables-nft-multi

CMD [ "cat", "hello world"]

Run the Preflight check and observe the HasModifiedFiles check fail:

podman run -e PFLT_LOGLEVEL=trace quay.io/opdev/preflight:1.6.1 check container quay.io/tkrishtop/setcap-example:v0.0.2

-- snip --

time="2023-04-28T07:38:06Z" level=debug msg="found disallowed modification in layer" file=usr/sbin/xtables-nft-multi layer="sha256:0765ec7ff35e3e077fb047f7a8710cdcef9c2ad08877fce70f25c94492b8a213"
time="2023-04-28T07:38:06Z" level=info msg="check completed" check=HasModifiedFiles result=FAILED

Confirm that the issue is caused specifically by the setcap line: setcap CAP_NET_ADMIN,CAP_NET_RAW+eip /usr/sbin/xtables-nft-multi by building another image quay.io/tkrishtop/setcap-example:v0.0.3 without setcap:

FROM registry.access.redhat.com/ubi8/ubi:8.7-1112

RUN microdnf -y install iptables && \
    microdnf clean all

CMD [ "cat", "hello world"]

This image passes the HasModifiedFiles check

$ podman run -e PFLT_LOGLEVEL=trace quay.io/opdev/preflight:1.6.1 check container quay.io/tkrishtop/setcap-example:v0.0.3

-- snip --

time="2023-04-28T10:10:45Z" level=info msg="check completed" check=HasModifiedFiles result=PASSED

Expected Result

Telco partners often require the use of setcap:

CAP_NET_ADMIN - Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables).
CAP_NET_RAW - Permit use of RAW and PACKET sockets.

Containers using setcap do nothing wrong or non-standard, they should pass the certification checks.

Actual Result

check=HasModifiedFiles result=FAILED

Additional Context

Since there is no solution on our side, this issue is becoming urgent and has the potential to impact many Telco partners.

cc: @bcrochet @acornett21

Answer 1 · 2023-04-28T13:10:46.000Z

This should not be a failure. I'm working on a solution. I've identified what happens in the layer that causes this. The problem is not making it so broad of a fix that other things slip through.

Answer 2 · 2023-05-03T08:45:18.000Z

Hi @bcrochet @acornett21 thank you for the fix. Could you please let us know when do you plan to release Preflight containing this fix?

Answer 3 · 2023-05-03T14:06:36.000Z

@tkrishtop We are waiting on a change in go-rpmdb to be merged and referenced in preflight before we cut a release. Reference to PR here