TechQA.

How do I add Linux capabilities SYS_NICE and DAC_READ_SEARCH to container in AWS Fargate?

1.4k views Asked by At

I'm trying to setup a task definition in ECS Fargate for running Koha containers but Fargate won't accept

--cap-add=SYS_NICE --cap-add=DAC_READ_SEARCH

(or any other kernel capabilities except for SYS_PTRACE) in the task definition json file. I tried adding "linuxParameters": {"capabilities": { "add": [ "SYS_NICE", "DAC_READ_SEARCH"],to the task definition json file but Fargate simply deletes the code. The mpm_itk module fails without this option (and my container throws an 500 error with the following warning/error in the logs

[mpm_itk:warn] [pid 17146] (itkmpm: pid=17146 uid=33, gid=33) itk_post_perdir_config(): setgid(1000): Operation not permitted

How do I work around this? Is there a way to pass on these capabilities after the container has started up? Any help will be appreciated, thanks!

aws-fargate linux-capabilities ecs-taskdefinition
Original Q&A
2

There are 2 answers

0
grandmaestr On

According to AWS Fargate only allows you to add the SYS_PTRACE kernel capability. It is not possible to add any other capabilities at the moment. The only viable workaround that I can see working is to use ECS EC2.

0
vishy dewangan On

The container created by docker runc is bounded by capability flag i.e.

0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap

The container can get the capabilities from this set only.

Related Questions in AWS-FARGATE

Related Questions in LINUX-CAPABILITIES

Related Questions in ECS-TASKDEFINITION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions