From b9036604e61f29805032c21630500fd1f3d39cf8 Mon Sep 17 00:00:00 2001 From: Mathias Fredriksson Date: Wed, 11 Jun 2025 16:27:55 +0000 Subject: [PATCH] fix(agent/agentcontainers): remove cap net admin from dev container agent executable This was causing errors on `mcr.microsoft.com/devcontainers/base:ubuntu` image. ``` /.coder-agent/coder: Operation not permitted ``` Simplified and removed `chown` while I was at it as it's unnecessary. --- agent/agentcontainers/api.go | 19 +++++++++++-------- agent/agentcontainers/api_test.go | 4 ---- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/agent/agentcontainers/api.go b/agent/agentcontainers/api.go index 301553c651048..56c5df6710297 100644 --- a/agent/agentcontainers/api.go +++ b/agent/agentcontainers/api.go @@ -1062,20 +1062,23 @@ func (api *API) injectSubAgentIntoContainerLocked(ctx context.Context, dc coders logger.Info(ctx, "copied agent binary to container") - // Make sure the agent binary is executable so we can run it. + // Make sure the agent binary is executable so we can run it (the + // user doesn't matter since we're making it executable for all). if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "chmod", "0755", path.Dir(coderPathInsideContainer), coderPathInsideContainer); err != nil { return xerrors.Errorf("set agent binary executable: %w", err) } - // Set the owner of the agent binary to root:root (UID 0, GID 0). - if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "chown", "0:0", path.Dir(coderPathInsideContainer), coderPathInsideContainer); err != nil { - return xerrors.Errorf("set agent binary owner: %w", err) - } // Attempt to add CAP_NET_ADMIN to the binary to improve network // performance (optional, allow to fail). See `bootstrap_linux.sh`. - if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "setcap", "cap_net_admin+ep", coderPathInsideContainer); err != nil { - logger.Warn(ctx, "set CAP_NET_ADMIN on agent binary failed", slog.Error(err)) - } + // TODO(mafredri): Disable for now until we can figure out why this + // causes the following error on some images: + // + // Image: mcr.microsoft.com/devcontainers/base:ubuntu + // Error: /.coder-agent/coder: Operation not permitted + // + // if _, err := api.ccli.ExecAs(ctx, container.ID, "root", "setcap", "cap_net_admin+ep", coderPathInsideContainer); err != nil { + // logger.Warn(ctx, "set CAP_NET_ADMIN on agent binary failed", slog.Error(err)) + // } // Detect workspace folder by executing `pwd` in the container. // NOTE(mafredri): This is a quick and dirty way to detect the diff --git a/agent/agentcontainers/api_test.go b/agent/agentcontainers/api_test.go index 59b0461c7948a..91cebcf2e5d25 100644 --- a/agent/agentcontainers/api_test.go +++ b/agent/agentcontainers/api_test.go @@ -1276,8 +1276,6 @@ func TestAPI(t *testing.T) { mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "mkdir", "-p", "/.coder-agent").Return(nil, nil), mCCLI.EXPECT().Copy(gomock.Any(), "test-container-id", coderBin, "/.coder-agent/coder").Return(nil), mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "chmod", "0755", "/.coder-agent", "/.coder-agent/coder").Return(nil, nil), - mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "chown", "0:0", "/.coder-agent", "/.coder-agent/coder").Return(nil, nil), - mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "setcap", "cap_net_admin+ep", "/.coder-agent/coder").Return(nil, nil), ) mClock.Set(time.Now()).MustWait(ctx) @@ -1333,8 +1331,6 @@ func TestAPI(t *testing.T) { mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "mkdir", "-p", "/.coder-agent").Return(nil, nil), mCCLI.EXPECT().Copy(gomock.Any(), "test-container-id", coderBin, "/.coder-agent/coder").Return(nil), mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "chmod", "0755", "/.coder-agent", "/.coder-agent/coder").Return(nil, nil), - mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "chown", "0:0", "/.coder-agent", "/.coder-agent/coder").Return(nil, nil), - mCCLI.EXPECT().ExecAs(gomock.Any(), "test-container-id", "root", "setcap", "cap_net_admin+ep", "/.coder-agent/coder").Return(nil, nil), ) // Terminate the agent and verify it is deleted.