问题
I have a Qt project that uses a plugin interface which compiles fine on my system. However, when the same project is compiled inside docker it stopped working with Qt 5.10.1, giving the messageError: Undefined interface. After some straceing the moc run, it turned out that a header file that defines the interface is not found because the statx call on the include's filepath always returns EPERM. The documentation does not even mention how this error can be generated.
docker run --privileged fixes this problem but I would like to avoid excessive permissions so I wanted to set only the necessary ones.
So far I tried to add all of these capabilities (even at the same time) without success:
- CAP_DAC_OVERRIDE
- CAP_DAC_READ_SEARCH
- CAP_FOWNER
- CAP_SETFCAP
Am I missing something here?
UPDATE
A pull request for this is pending.
回答1:
Before 2018-03-06
statx isn't included in the default seccomp whitelist used by Docker as of present date.
You can use --security-opt seccomp=/path/to/seccomp/profile.json to specify a different profile (presumably, one with this syscall added).
After 2018-03-06
moby/moby#36417 was merged to master as of March 6th, 2018.
It should be included in nightly builds going forward, and eventually in the Docker 18.04 release.
来源:https://stackoverflow.com/questions/48995826/which-capabilities-are-needed-for-statx-to-stop-giving-eperm