Running my app as below:
sudo rkt run --insecure-options=image --interactive --net=host ./myapp.aci
I get the message:
Failed to lock memory: cannot allocate memory
Which after some digging would seem to indicate that the container does not have the CAP_IPC_LOCK capability passed to it. I have dug into some of the documentation, but cannot find where I need to add configuration or any option to enable this. How do I do this?
ACIs can specify which caps they need in their manifest with an isolator of type os/linux/capabilities-retain-set.
To check if the manifest contains such an isolator, you can use actool:
$ actool cat-manifest --pretty-print ./myapp.aci
You might see the following:
"isolators": [
{
"name": "os/linux/capabilities-retain-set",
"value": {
"set": [
"CAP_IPC_LOCK"
]
}
}
]
To add CAP_IPC_LOCK, you can use:
$ actool patch-manifest --capability=CAP_IPC_LOCK --replace ./myapp.aci
It is currently not possible to add a capability directly on the rkt run command line. I filed an issue on GitHub for this feature request: coreos/rkt#2371