Hi! I recently upgraded my Omnia from Turris OS 3 to 5 (5.1.4 to be exact) and I noticed some breakage in containers. They seem to be caused by file capabilities not being enabled for file systems. For instance:
root@container:~# getcap /usr/bin/ping
Failed to get capabilities of file `/usr/bin/ping' (Operation not supported)
This worked without issues in Turris OS 3. I guess that it’s no big deal for OpenWRT/Turris OS itself (so it may be a good default for plain OWRT), but for containers it means that all kinds of contortions prone to security vulnerabilities are needed where previously a simple setcap
was sufficient (like in the ping
example, where it will probably end being made setuid root).
I think it would make sense to enable file capabilities for file systems in next OS updates (i.e. just enable support in the kernel).
Thank you very much for an excellent product and support!