Merge pull request containerd#71 from Random-Liu/fix-capabilities

Fix capabilities support.

Author: Random-Liu

pkg/server/container_start.go

@@ -477,14 +477,15 @@ func setOCICapabilities(g *generate.Generator, capabilities *runtime.Capability,
 		return nil
 	}
 
+	// Capabilities in CRI doesn't have `CAP_` prefix, so add it.
 	for _, c := range capabilities.GetAddCapabilities() {
-		if err := g.AddProcessCapability(c); err != nil {
+		if err := g.AddProcessCapability("CAP_" + c); err != nil {
 			return err
 		}
 	}
 
 	for _, c := range capabilities.GetDropCapabilities() {
-		if err := g.DropProcessCapability(c); err != nil {
+		if err := g.DropProcessCapability("CAP_" + c); err != nil {
 			return err
 		}
 	}

pkg/server/container_start_test.go

@@ -77,8 +77,8 @@ func getStartContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandboxC
 			},
 			SecurityContext: &runtime.LinuxContainerSecurityContext{
 				Capabilities: &runtime.Capability{
-					AddCapabilities:  []string{"CAP_SYS_ADMIN"},
-					DropCapabilities: []string{"CAP_CHOWN"},
+					AddCapabilities:  []string{"SYS_ADMIN"},
+					DropCapabilities: []string{"CHOWN"},
 				},
 				SupplementalGroups: []int64{1111, 2222},
 			},