In docker, "chattr: Operation not permitted while setting flags on file"

docker xattr

8,239

This is related to capabilities thing: chattr requires CAP_LINUX_IMMUTABLE which is disabled in docker by default. Just add --cap-add LINUX_IMMUTABLE to docker container start options to enable it.

Here's an example:

user@test:~$ docker run --cap-add LINUX_IMMUTABLE -it bash
bash-5.0# cd home
bash-5.0# touch test
bash-5.0# apk add e2fsprogs-extra
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/6) Installing libuuid (2.33-r0)
(2/6) Installing libblkid (2.33-r0)
(3/6) Installing libcom_err (1.44.5-r0)
(4/6) Installing e2fsprogs-libs (1.44.5-r0)
(5/6) Installing e2fsprogs (1.44.5-r0)
(6/6) Installing e2fsprogs-extra (1.44.5-r0)
Executing busybox-1.29.3-r10.trigger
OK: 15 MiB in 24 packages
bash-5.0# chattr +i test
bash-5.0# echo $?
0

Here you can read more about linux capabilities in docker.

8,239

Benjamin Berman

Updated on September 18, 2022

Comments

Benjamin Berman almost 2 years
I'm ssh'ed into a local Centos 7 docker container* and I'm trying to run
```
sudo chattr +i file1
```
but I'm getting an error:
```
chattr: Operation not permitted while setting flags on file1
```
What's going on here? What flags is it talking about? Is there a workaround?

Changing the +i to +a also makes the command fail with that error, but when I change it to +d the command succeeds. The command also succeeds for me when I'm not ssh'ed into a docker container.

*I'm running the Centos 7 docker container in a Ubuntu VirtualBox VM host on top of Windows 10 (I'd like to avoid having to deal with Windows as much as possible). The ultimate goal of all of this is to test some Ansible scripts using these containers.
jfs about 4 years

it produces chattr: Not a tty while reading flags on test for me.