From 4acfc13548e6629dd9bac19e1cca605a613a9f1b Mon Sep 17 00:00:00 2001 From: Paulin Todev <paulin.todev@gmail.com> Date: Wed, 18 Dec 2024 18:54:20 +0200 Subject: [PATCH] Remove set bind permissions --- CHANGELOG.md | 5 +++++ cmd/grafana-agent/Dockerfile | 3 +-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d414c0ce3fe..0947c06dd100 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,11 @@ Main (unreleased) - Upgrade `github.com/goccy/go-json` to v0.10.4, which reduces the memory consumption of an Agent instance by 20MB. If Agent is running certain otelcol components, this reduction will not apply. (@ptodev) + +### Other changes + +- Remove setcap for `cap_net_bind_service` to allow Agent to run in restricted environments. + Modern container runtimes allow binding to unprivileged ports as non-root. (@ptodev) v0.43.4 (2024-11-25) ----------------- diff --git a/cmd/grafana-agent/Dockerfile b/cmd/grafana-agent/Dockerfile index 558f3f96629b..fad889abab9f 100644 --- a/cmd/grafana-agent/Dockerfile +++ b/cmd/grafana-agent/Dockerfile @@ -41,7 +41,7 @@ LABEL org.opencontainers.image.source="https://github.com/grafana/agent" # Install dependencies needed at runtime. RUN <<EOF apt-get update - apt-get install -qy libsystemd-dev tzdata ca-certificates libcap2-bin + apt-get install -qy libsystemd-dev tzdata ca-certificates rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* EOF @@ -53,7 +53,6 @@ RUN groupadd --gid $UID $USERNAME RUN useradd -m -u $UID -g $UID $USERNAME RUN chown -R $USERNAME:$USERNAME /etc/agent RUN chown -R $USERNAME:$USERNAME /bin/grafana-agent -RUN setcap 'cap_net_bind_service=+ep' /bin/grafana-agent ENTRYPOINT ["/bin/grafana-agent"] ENV AGENT_DEPLOY_MODE=docker