Remove CAP_CHOWN (#3480)

* Revert "Add the CAP_CHOWN capability to support running rootless" This reverts commit 0f00378. * Add comment to not include in capacity string
aws · Nov 10, 2022 · d367b12 · d367b12
1 parent 27149d2
commit d367b12
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 17 deletions.
diff --git a/ecs-init/docker/docker.go b/ecs-init/docker/docker.go
@@ -69,21 +69,6 @@ const (
 	// maxRetries specifies the maximum number of retries for ping to return
 	// a successful response from the docker socket
 	maxRetries = 5
-	// CapNetAdmin to start agent with NET_ADMIN capability
-	// For more information on capabilities, please read this manpage:
-	// http://man7.org/linux/man-pages/man7/capabilities.7.html
-	CapNetAdmin = "NET_ADMIN"
-	// CapSysAdmin to start agent with SYS_ADMIN capability
-	// This is needed for the ECS Agent to invoke the setns call when
-	// configuring the network namespace of the pause container
-	// For more information on setns, please read this manpage:
-	// http://man7.org/linux/man-pages/man2/setns.2.html
-	CapSysAdmin = "SYS_ADMIN"
-	// CapChown to start agent with CAP_CHOWN capability
-	// This is needed for the ECS Agent to invoke the chown call when
-	// configuring the files for configuration or administration.
-	// http://man7.org/linux/man-pages/man2/chown.2.html
-	CapChown = "CAP_CHOWN"
 	// DefaultCgroupMountpoint is the default mount point for the cgroup subsystem
 	DefaultCgroupMountpoint = "/sys/fs/cgroup"
 	// pluginSocketFilesDir specifies the location of UNIX domain socket files of
@@ -127,6 +112,20 @@ const (
 	execAgentLogRelativePath = "/exec"
 )
 
+// Do NOT include "CAP_" in capability string
+const (
+	// CapNetAdmin to start agent with NET_ADMIN capability
+	// For more information on capabilities, please read this manpage:
+	// http://man7.org/linux/man-pages/man7/capabilities.7.html
+	CapNetAdmin = "NET_ADMIN"
+	// CapSysAdmin to start agent with SYS_ADMIN capability
+	// This is needed for the ECS Agent to invoke the setns call when
+	// configuring the network namespace of the pause container
+	// For more information on setns, please read this manpage:
+	// http://man7.org/linux/man-pages/man2/setns.2.html
+	CapSysAdmin = "SYS_ADMIN"
+)
+
 var pluginDirs = []string{
 	pluginSocketFilesDir,
 	pluginSpecFilesEtcDir,

diff --git a/ecs-init/docker/docker_config.go b/ecs-init/docker/docker_config.go
@@ -49,7 +49,7 @@ func createHostConfig(binds []string) *godocker.HostConfig {
 		// CapNetAdmin and CapSysAdmin are needed for running task in awsvpc network mode.
 		// This network mode is (at least currently) not supported in external environment,
 		// hence not adding them in that case.
-		caps = []string{CapNetAdmin, CapSysAdmin, CapChown}
+		caps = []string{CapNetAdmin, CapSysAdmin}
 	}
 
 	hostConfig := &godocker.HostConfig{

diff --git a/ecs-init/docker/docker_test.go b/ecs-init/docker/docker_test.go
@@ -292,7 +292,7 @@ func validateCommonCreateContainerOptions(opts godocker.CreateContainerOptions,
 		t.Errorf("Expected network mode to be %s, got %s", networkMode, hostCfg.NetworkMode)
 	}
 
-	if len(hostCfg.CapAdd) != 3 {
+	if len(hostCfg.CapAdd) != 2 {
 		t.Error("Mismatch detected in added host config capabilities")
 	}