Remove set bind permissions

grafana · Dec 19, 2024 · 4acfc13 · 4acfc13
1 parent c4822f6
commit 4acfc13
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,11 @@ Main (unreleased)
 
 - Upgrade `github.com/goccy/go-json` to v0.10.4, which reduces the memory consumption of an Agent instance by 20MB.
   If Agent is running certain otelcol components, this reduction will not apply. (@ptodev)
+
+### Other changes
+
+- Remove setcap for `cap_net_bind_service` to allow Agent to run in restricted environments.
+  Modern container runtimes allow binding to unprivileged ports as non-root. (@ptodev)
 
 v0.43.4 (2024-11-25)
 -----------------

diff --git a/cmd/grafana-agent/Dockerfile b/cmd/grafana-agent/Dockerfile
@@ -41,7 +41,7 @@ LABEL org.opencontainers.image.source="https://github.com/grafana/agent"
 # Install dependencies needed at runtime.
 RUN <<EOF
   apt-get update
-  apt-get install -qy libsystemd-dev tzdata ca-certificates libcap2-bin
+  apt-get install -qy libsystemd-dev tzdata ca-certificates
   rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 EOF
 
@@ -53,7 +53,6 @@ RUN groupadd --gid $UID $USERNAME
 RUN useradd -m -u $UID -g $UID $USERNAME
 RUN chown -R $USERNAME:$USERNAME /etc/agent
 RUN chown -R $USERNAME:$USERNAME /bin/grafana-agent
-RUN setcap 'cap_net_bind_service=+ep' /bin/grafana-agent
 
 ENTRYPOINT ["/bin/grafana-agent"]
 ENV AGENT_DEPLOY_MODE=docker