容器以编程方式更新文件的Linux功能

Question

我有一个以非特权模式运行的容器。出于某种原因，我希望通过python代码更新文件atime，但发现由于权限问题，我无法这样做，尽管我可以写入该文件。

我试图将linux功能添加到容器中，但即使使用SYS_AMDIN，它仍然无法工作。有人知道该添加什么功能或者我错过了什么吗？

谢谢!

bash-5.1$ id 
uid=1000(contest) gid=1000(contest) groups=1000(contest)
bash-5.1$ ls -l
total 250
-rwxrwxrwx    1 root     contest          0 Oct 27 07:16 anotherfile
-rwxrwxrwx    1 root     contest     254823 Oct 27 07:37 outfile
-rwxrwxrwx    1 root     contest          0 Oct 24 03:52 test
-rwxrwxrwx    1 root     contest        364 Oct 27 07:16 test.py
-rwxrwxrwx    1 root     contest         18 Oct 24 05:25 testfile
bash-5.1$ python3 test.py
1666854988.190472
1666851388.190472
Traceback (most recent call last):
  File "/mnt/azurefile/test.py", line 19, in <module>
    os.utime(myfile, (atime - 3600.0, mtime))
PermissionError: [Errno 1] Operation not permitted
bash-5.1$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=1000(contest) euid=1000(contest)
gid=1000(contest)
groups=1000(contest)
Guessed mode: HYBRID (4)

我的python代码要更新atime：

from datetime import datetime
import os
import time

myfile = "anotherfile"
current_time = time.time()

"""
Set the access time of a given filename to the given atime.
atime must be a datetime object.
"""
stat = os.stat(myfile)
mtime = stat.st_mtime
atime = stat.st_atime

print(mtime)
mtime = mtime - 3600.0
print(mtime)
os.utime(myfile, (atime - 3600.0, mtime))

豆荚yaml

---
kind: Pod
apiVersion: v1
metadata:
  name: nginx-azurefile
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
  nodeSelector:
    "kubernetes.io/os": linux
  containers:
    - image: acheng.azurecr.io/capsh
      name: nginx-azurefile
      securityContext:
        capabilities:
          add: ["CHOWN","SYS_ADMIN","SYS_RESOURCES"]
      command:
        - "/bin/bash"
        - "-c"
        - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/outfile; sleep 10; done
      volumeMounts:
        - name: persistent-storage
          mountPath: "/mnt/azurefile"
  imagePullSecrets:             
    - name: acr-secret  
  volumes:
    - name: persistent-storage
      persistentVolumeClaim:
        claimName: pvc-azurefile

试图添加SYS_ADMIN功能，但没有工作。如果容器以特权模式运行，则代码可以按预期更新文件访问时间。

Answer 1

在这里回答我自己的问题。

在搜索之后，我发现kubernetes不支持非根用户的功能。容器规范中添加的功能仅供根用户使用。不会对非根用户生效。有关详细信息，请参阅此github问题：https://github.com/kubernetes/kubernetes/issues/56374

解决方法是使用setcap命令(从libcap)直接将cap添加到可执行文件中。所需的能力是CAP_FOWNER