Created attachment 1891284[details]
Patch applied to fix the issue.
Description of problem:
For OpenStack upgrade from OSP16.2 to OSP17.1 we are planing to go to intermediate step where we run OSP17 containers on RHEL8.4 before doing Leapp to RHEL9. We don't expect all of the containers work as we will have OVS incompatibility and probably Libvirt incompatibility but most of the OSP containers are simple python applications. When testing PoC we hit issue with mysql_upgrade failing to connect with error:
FATAL ERROR: popen("'mysql' --no-defaults --help 2>&1 > /dev/null ", "r") failed
Version-Release number of selected component (if applicable):
We use container-tools module 3.0 but we can switch to plain container-tools on 8.4. But we need backports of seccomp.json changes used in https://access.redhat.com/errata/RHSA-2021:4154
How reproducible:
Running mysqld with mysql_upgrade command fails always.
To solve this we did dnf module switch to container-tools and got containers-common-1.3.1-5.module+el8.4.0+11990+22932769.x86_64
This still didn't solve the issue but after creating patch that updates seccomp.json from linked advisory we got everything working.
This is blocking issue for OSP16.2 to OSP17.1 upgrade.
I am not really sure of the question, but if you exec into the container as root, then you have the full list of capabilities in the EFF set, so you can take advantage of them
In the case of the actual container process, it does not get the capabilities by default but needs to use a SETUID or SETFCAP file to get additional capabilities.