feat: don't drop capabilities if kexec is disabled

It is needed for advanced use cases like Docker-in-Docker, our CI, etc. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@talos-systems.com>
2026-05-05 20:36:18 +02:00 · 2021-10-05 13:19:20 +00:00 · 2021-10-05 13:19:20 +00:00 · 423861cf9f
commit 423861cf9f
parent facc8c38a0
3 changed files with 29 additions and 7 deletions
--- a/hack/release.toml
+++ b/hack/release.toml
@ -36,11 +36,31 @@ On bare-metal hardware BIOS POST process might take 10-15 minutes, so Talos rebo

 Kexec support can be disabled with the following change to the machine configuration:

-```
+```yaml
 machine:
  sysctls:
    kernel.kexec_load_disabled: "1"
 ```
+"""
+
+    [notes.caps]
+        title = "Kexec and capabilities"
+        description = """\
+When kexec support is disabled (see `Reboots via kexec`),
+Talos no longer drops Linux capabilities (`CAP_SYS_BOOT` and `CAP_SYS_MODULES`) for child processes.
+That is helpful for advanced use-cases like Docker-in-Docker.
+
+If you want to permanently disable kexec and capabilities dropping, pass `kexec_load_disabled=1` argument to the kernel.
+For example:
+
+```yaml
+install:
+  extraKernelArgs:
+    - kexec_load_disabled=1
+```
+
+Please note that capabilities are dropped before machine configuration is loaded,
+so disabling kexec via `machine.sysctls` (like in the section `Reboots via kexec`) will not be enough.
 """

    [notes.kubespan]
--- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@ -241,6 +241,13 @@ func SetRLimit(seq runtime.Sequence, data interface{}) (runtime.TaskExecutionFun
 // DropCapabilities drops some capabilities so that they can't be restored by child processes.
 func DropCapabilities(seq runtime.Sequence, data interface{}) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error {
+		prop, err := kernel.ReadParam(&kernel.Param{Key: "kernel.kexec_load_disabled"})
+		if v := strings.TrimSpace(string(prop)); err == nil && v != "0" {
+			logger.Printf("kernel.kexec_load_disabled is %v, skipping dropping capabilities", v)
+
+			return nil
+		}
+
 		// Disallow raising ambient capabilities (ever).
 		secbits := cap.GetSecbits()
 		secbits |=
--- a/pkg/kernel/kspp/kspp.go
+++ b/pkg/kernel/kspp/kspp.go
@ -46,7 +46,7 @@ func EnforceKSPPKernelParameters() error {
 	return result.ErrorOrNil()
 }

-// GetKernelParams returns the list of KSPP kernels.
+// GetKernelParams returns the list of KSPP kernel parameters.
 func GetKernelParams() []*kernel.Param {
 	return []*kernel.Param{
 		{
@ -61,11 +61,6 @@ func GetKernelParams() []*kernel.Param {
 			Key:   "kernel.perf_event_paranoid",
 			Value: "3",
 		},
-		// We can skip this kernel because CONFIG_KEXEC is not set.
-		// {
-		// 	Key:   "kernel.kexec_load_disabled",
-		// 	Value: "1",
-		// },
 		{
 			Key:   "kernel.yama.ptrace_scope",
 			Value: "1",