cron not running in a docker container with no capabilities

SaarKuriel
December 9, 2021
202 views
0 votes
2 Answers

I have a docker container, in which I’m running the following cron job:

SHELL=/bin/bash
BASH_ENV=/container.env
*/1 * * * * find ${CLONE_DIR} -mmin +10 -exec rm -fr {} >> /var/log/cronjob.log 2>&1 ;

The cronjob works perfectly in my local environment (i.e using docker-compose to launch the container).

In my production environment I use k8s and remove all capabilities from the container:

securityContext:
  capabilities:
    drop:
    - ALL

Which results in the job not running at all.

Checklist:

I verified that cron service is running.
No errors in the cron script.
crontab -l lists the job

I’ve tested the container with and without capabilities and can verify that with it it works, and without it doesn’t. Therefore, I think this is the problem.

What capability should I add to my container in order for this to work?
Thanks for your help and attention.

Answers

Chosen as BEST ANSWER
- SaarKuriel
- December 13, 2021 at 1:46 pm
- 0 votes
0
The missing capability was: CAP_SETGID

(Edit)

- banuj
- March 15, 2023 at 10:21 am
- 0 votes
0
For me (docker 20.10.22) , it worked by allowing:
- CAP_SETGID
- DAC_OVERRIDE
If you don’t have a k8s environment to test, you can test in this way local:

docker run --cap-drop ALL --cap-add SETGID --cap-add DAC_OVERRIDE image
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.