[TorizonCoreBuilder] Dropped capabilities while building image

Technical Support
, ,
1

Hello,

I am facing an issue with TorizonCoreBuilder. I do have a container that needs to modify the host’s Ethernet interface. I was able to create such container, but only if I manually upload this container via ssh - if I try to bundle it to TorizonCore image with TorizonCoreBuilder it does not work (I get errors regarding permissions).

Tested workflow:

  • build image with TorizonCoreBuilder,
  • Install the image with TorizonEasyInstaller,
  • Init container will log permission errors
  • Stop docker-compose service on Apalis
  • Remove init container image from Apalis
  • provide exactly the same container image to Apalis via ssh
  • start docker-compose service
  • now everything is ok

My dockerfile:

# Make sure we don't get notifications we can't answer during building.
ENV DEBIAN_FRONTEND="noninteractive"

# your regular RUN statements here
# Install required packages

    # Install needed packages
    && apt-get -q -y update \
    && apt-get -q -y install net-tools \
                        libcap2 \
                        libcap2-bin \
                        iproute2 \
                        iptables \
    # Clear apt-get
    && rm -rf /var/lib/apt/lists/*

# Copy executive/config to container
COPY src/init.sh /init/init.sh

RUN chmod 555 /init/scripts/init.sh

# Allow to tweak with network configuration
RUN setcap cap_net_admin=eip /sbin/ifconfig
RUN setcap cap_net_admin=eip /bin/ip
RUN setcap cap_net_admin=eip /usr/sbin/xtables-nft-multi

USER torizon

WORKDIR /init

CMD ./init.sh

init.sh:

#!/bin/bash

# Set MAC address
MAC_ADDR="01:15:16:17:18:19"
ifconfig ethernet0 down
ifconfig ethernet0 hw ether $MAC_ADDR
ifconfig ethernet0 up

dokcer-compose.yml:

version: "3.8"

services: 
    init:
        image: localhost:5000/module/init_devel:0.0.3
        container_name: init
        restart: "no"
        stdin_open: true
        tty: true
        network_mode: "host"
        cap_add:
            - NET_ADMIN

tcbuild.yaml:

input:
    easy-installer:
        local: torizon-core-docker-apalis-imx6-Tezi_5.3.0+build.7.tar
customization:
    device-tree:
        include-dirs:
            - device-trees/include/
        custom: device-trees/dts-arm32/imx6q-apalis-eval.dts
    filesystem:
        - changes1/
output:
    easy-installer:
        local: torizon-core-docker-apalis-imx6-test
        bundle:
            compose-file: docker-compose.yml

I am developing on Apalis imx6,
TorizonCore 5.3.0,
ToradexEasyInstaller 5.3.0
TorizonCoreBuilder 3.2.0

Best Regards,
Kacper