Docker – Fixing ‘chattr: Operation Not Permitted’ Error

dockerxattr

I'm ssh'ed into a local Centos 7 docker container* and I'm trying to run

sudo chattr +i file1

but I'm getting an error:

chattr: Operation not permitted while setting flags on file1

What's going on here? What flags is it talking about? Is there a workaround?

Changing the +i to +a also makes the command fail with that error, but when I change it to +d the command succeeds. The command also succeeds for me when I'm not ssh'ed into a docker container.

*I'm running the Centos 7 docker container in a Ubuntu VirtualBox VM host on top of Windows 10 (I'd like to avoid having to deal with Windows as much as possible). The ultimate goal of all of this is to test some Ansible scripts using these containers.

Best Answer

This is related to capabilities thing: chattr requires CAP_LINUX_IMMUTABLE which is disabled in docker by default. Just add --cap-add LINUX_IMMUTABLE to docker container start options to enable it.

Here's an example:

user@test:~$ docker run --cap-add LINUX_IMMUTABLE -it bash
bash-5.0# cd home
bash-5.0# touch test
bash-5.0# apk add e2fsprogs-extra
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/6) Installing libuuid (2.33-r0)
(2/6) Installing libblkid (2.33-r0)
(3/6) Installing libcom_err (1.44.5-r0)
(4/6) Installing e2fsprogs-libs (1.44.5-r0)
(5/6) Installing e2fsprogs (1.44.5-r0)
(6/6) Installing e2fsprogs-extra (1.44.5-r0)
Executing busybox-1.29.3-r10.trigger
OK: 15 MiB in 24 packages
bash-5.0# chattr +i test
bash-5.0# echo $?
0

Here you can read more about linux capabilities in docker.

Related Question