lxc: Unknown capability perfmon

[r10r]

Deploying cilium fails with

ERROR conf - conf.c:dropcaps_except:2451 - Unknown capability perfmon

Workaround

Disable capabilities support by settingCRIO_LXC_CAPABILITIES=false in /etc/default/crio-lxc

Problem

Cri-o requests capablities that are unknown to the installed liblxc version.
Commit lxc/lxc@7b4cd46 added capabilities support for new capabilities introduced by linux 5.8 CAP_BPF and CAP_PERFMON. The forked liblxc version is not recent enough and must be upgraded.

Detailed Description

Capabilities are set by cri-o. For privileged containers e.g cilium all supported capabilities are set.
cri-o uses the library github.com/syndtr/gocapability to list all supported capabilities.

The gocapability library was updated in syndtr/gocapability#17 to support CAP_BPF and CAP_PERFMON.

cri-o then upgraded the gocapability dependency in cri-o/cri-o#4462

-       github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2
+       github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635

Conclusion

• Track whether new capabilities are introduced when changing the kernel version.
• Ensure that the liblxc version is recent enough for the underlying kernel and supports all available capabilities.