From 3110846e4145789dd7003e9d3504168c5372a196 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Thu, 3 Nov 2022 11:38:42 -0400
Subject: [PATCH] debug

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 distroless-build/Makefile                 |  4 ++--
 distroless-build/melange/nginx-debug.yaml |  4 +---
 internal/net/net.go                       | 27 +++++------------------
 3 files changed, 9 insertions(+), 26 deletions(-)

diff --git a/distroless-build/Makefile b/distroless-build/Makefile
index 080113b1d..12ecf3298 100644
--- a/distroless-build/Makefile
+++ b/distroless-build/Makefile
@@ -30,13 +30,13 @@ MELANGE_DIR ?= melange
 APKO_DIR ?= apko
 MELANGE ?= docker run --rm --privileged -w /work -v "${PWD}":/work distroless.dev/melange:latest
 MELANGE_DETACHED ?= docker run -d -w /work --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest
-APKO ?= docker run --rm -w /work -v "${PWD}":/work ko.local:5f90a47e3144af5b529930d71eb58fc6ea0004113aa0cdb3d1da35d6065b594e
+APKO ?= docker run --rm -w /work -v "${PWD}":/work ko.local:282aa9f94ed181bbe42ab3897f41687c92a86260ea0820151c9353ecfc1ae3d6
 KEY ?= melange.rsa
 REPO ?= packages
 TEMPLATE ?= melange/nginx-templates.json
 MELANGE_OPTS ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS}
 MELANGE_INGRESS_OPT ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} --empty-workspace
-APKO_OPTS ?= -k ${KEY}.pub --debug --use-docker-mediatypes --sbom=false --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml
+APKO_OPTS ?= -k ${KEY}.pub --debug --sbom=false --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml
 KEY ?= melange.rsa
 REPO ?= $(shell pwd)/packages
 ARCHS ?="amd64,arm64,arm/v6,arm/v7,s390x"
diff --git a/distroless-build/melange/nginx-debug.yaml b/distroless-build/melange/nginx-debug.yaml
index f7adc265b..f91a9ff0f 100644
--- a/distroless-build/melange/nginx-debug.yaml
+++ b/distroless-build/melange/nginx-debug.yaml
@@ -213,9 +213,7 @@ pipeline:
       set -o errexit
       set -o nounset
       set -o pipefail
-      
-      ls -lah 
-      ls -lah etc/nginx
+
       export BUILD_PATH="${PWD}"
       echo "BUILD_PATH $BUILD_PATH"
       echo "Arch: $(uname -m)"
diff --git a/internal/net/net.go b/internal/net/net.go
index 4bb169295..968da1eaa 100644
--- a/internal/net/net.go
+++ b/internal/net/net.go
@@ -17,12 +17,9 @@ limitations under the License.
 package net
 
 import (
-	"errors"
 	"fmt"
-	"k8s.io/klog/v2"
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 	_net "net"
-	"os"
 	"os/exec"
 )
 
@@ -66,28 +63,16 @@ func IsIPv6Enabled() bool {
 
 // CheckCapNetBind checks if cap_net_bind_service is set for ingress
 func CheckCapNetBind() error {
-	processID := os.Getpid()
-	set, err := cap.GetPID(processID)
-	if err != nil {
-		return err
-	}
-	klog.InfoS("ingress-nginx capability set %v", set.String())
+	orig := cap.GetProc()
 
-	//check effective
-	// Value 10 = NET_BIND_SERVICE
-	effective, err := set.GetFlag(0, 10)
-	if err != nil {
-		return err
-	}
+	defer orig.SetProc() // restore original caps on exit.
 
-	//check permitted
-	permitted, err := set.GetFlag(1, 10)
+	c, err := orig.Dup()
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to read capabilitiess: %v", err)
 	}
-	klog.InfoS("ingress-nginx capabilities: permitted %v effective %v", permitted, effective)
-	if !permitted && !effective {
-		return errors.New(fmt.Sprintf("ingress-nginx capabilities: permitted %v effective %v", permitted, effective))
+	if on, _ := c.GetFlag(cap.Effective, cap.NET_BIND_SERVICE); !on {
+		return fmt.Errorf("insufficient privilege to bind to low ports - want %q, have %q", cap.NET_BIND_SERVICE, c)
 	}
 
 	return nil