rkt容器中“ root”帐户的“受限”访问权限

Question

I meet some issues while trying to execute commands as a root in my rkt containers.

I run the rkt engine as a sudo. Inside of the launched container, I also am logged as a root. But it seems that I am not a "real" root inside.

For example, when I try to run a "chrt" command on a launched process which I own, I get the following answer:

[root@rkt-b1e45e35-f3e7-4cc2-88ea-58d06809dd5d /]# chrt -p -f 99 25
Unable to change scheduling policy!
either run as root or join realtime group**

Other example, when I try to login as another user I created in my container, I have the following error message:

[root@rkt-b1e45e35-f3e7-4cc2-88ea-58d06809dd5d /]# su toto
Bad system call

(note: I have the same message when I try to launch a "sudo" command).

I also tried to add toto or root either to "root" usergroup or to the "realtime" one but it still does not work.

Other expressive example, when I try to apply (as a root) a chmod +w on a file owned by root with the following confifuration : rw-r--r-- , I have an access denied message...

For information, a rkt image cat manifest xxx command on my rkt image gives the following output:

{ "acKind": "ImageManifest", "acVersion": "0.6.1", "name": "xxxxxxxxxx", "labels": [ { "name": "version", "value": "latest" }, { "name": "arch", "value": "amd64" }, { "name": "os", "value": "linux" } ], "app": { "exec": [ "/bin/bash" ], "user": "root", "group": "root", "workingDirectory": "/", "environment": [ { "name": "PATH", "value": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" } ] } }

Do you have any idea about the origin of my issue?

Answer 1

I found the solution : I simply had to add more "--caps-retain" parameters in the rkt run command. (per default, the local pseudo root user has strong limitations)