Which Linux capability do I need in order to write to /proc/sys/vm/drop_caches

capabilitiesdockerprivilegesproc

I am trying to clear my filesystem cache from inside a docker container, like so:

docker run --rm ubuntu:vivid sh -c "/bin/echo 3 > /proc/sys/vm/drop_caches"

If I run this command I get

sh: 1: cannot create /proc/sys/vm/drop_caches: Read-only file system

which is expected, as I cannot write to /proc from inside the container.

Now when I call

docker run --rm --privileged ubuntu:vivid sh -c "/bin/echo 3 > /proc/sys/vm/drop_caches"

it works, which also makes sense to me, as the --privileged container can do (almost) anything on the host.

My question is: how do I find out, which Linux capability I need to set in the command

docker run --rm --cap-add=??? ubuntu:vivid sh -c "/bin/echo 3 > /proc/sys/vm/drop_caches"

in order to make this work without having to set --privileged?

Best Answer

The proc filesystem doesn't support capabilities, ACL, or even changing basic permissions with chmod. Unix permissions determine whether the calling process gets access. Thus only root can write that file. With user namespaces, that's the global root (the one in the original namespace); root in a container doesn't get to change sysctl settings.

As far as I know, the only solution to change a sysctl setting from inside a non-privileged namespace is to arrange a communication channel with the outside (e.g. a socket or pipe), and have the listening process run as root outside the container.

Related Solutions

Docker – Setup Container to Communicate with Host Over D-Bus

I've found a solution. Here's my Dockerfile:

FROM i386/ubuntu:16.04

RUN apt-get update
RUN apt-get upgrade -y
RUN apt-get install -y dbus

COPY dbus.conf /etc/dbus-1/session.d/

ENTRYPOINT ["dbus-run-session", "slaveApp"]

And my dbus.conf:

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
    "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<busconfig>
    <listen>tcp:host=localhost,bind=*,port=6667,family=ipv4</listen>
    <listen>unix:tmpdir=/tmp</listen>
    <auth>ANONYMOUS</auth>
    <allow_anonymous/>
</busconfig>

And set the address variable on host:

export DBUS_SESSION_BUS_ADDRESS=tcp:host=${containerIp},port=6667,family=ipv4

In my master app I initiate a connection (I used Qt):

 QDBusConnection::connectToBus("tcp:host=${containerIp},port=6667", "qt_default_session_bus");

The master app can now send messages to slave app. I haven't tried to send messages from slave to master, though.

The answer is taken from this post: https://stackoverflow.com/a/45487266/6509266

Best Answer

Related Solutions

Docker – Setup Container to Communicate with Host Over D-Bus

Related Question