Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MKOSI container issue #121

Closed
Adam-pi3 opened this issue Oct 19, 2021 · 3 comments · Fixed by #122
Closed

MKOSI container issue #121

Adam-pi3 opened this issue Oct 19, 2021 · 3 comments · Fixed by #122
Assignees
Labels
testing A testing task or issue (e.g., with CI)

Comments

@Adam-pi3
Copy link
Collaborator

Hi @vt-alt, can you take a look at the newest issue which breaks mkosi on container environment:

https://github.com/openwall/lkrg/runs/3943837886

Thanks,
Adam

@Adam-pi3 Adam-pi3 assigned Adam-pi3 and vt-alt and unassigned Adam-pi3 Oct 19, 2021
@vt-alt
Copy link
Contributor

vt-alt commented Oct 20, 2021

This is not mkosi related Docker based builds (for multiple distros). Perhaps, there is some issue with alt:sisyphus docker image. I will investigate further. Thanks.

@vt-alt
Copy link
Contributor

vt-alt commented Oct 20, 2021

This seems related to glibc update (to 2.34) and docker seccomp policy. Related bugs:

[root@bda6b6485151 /]# curl google.com
curl: (6) getaddrinfo() thread failed to start
[root@bda6b6485151 /]# strace -e clone3 curl google.com
clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f30b7df6910, parent_tid=0x7f30b7df6910, exit_signal=0, stack=0x7f30b75f6000, stack_size=0x7ffe00, tls=0x7f30b7df6640}, 88) = -1 EPERM (Operation not permitted)
curl: (6) getaddrinfo() thread failed to start
+++ exited with 6 +++

vt-alt added a commit to vt-alt/lkrg that referenced this issue Oct 20, 2021
When target system upodated to glibc-2.34 (as for ALT Linux) it starts
to use new syscall `clone3', which is not enabled in Docker seccomp
filter, causing run failures. GA issue [1].

Disable Docker seccomp filtering since we are in throwable virtual
environment anyway and don't need that protection.

Link: actions/runner-images#3812 [1]
Fixes: lkrg-org#121
Signed-off-by: Vitaly Chikunov <[email protected]>
vt-alt added a commit to vt-alt/lkrg that referenced this issue Oct 20, 2021
When target system updated to glibc-2.34 (as for ALT Linux) it starts
to use new syscall `clone3', which is not enabled in Docker seccomp
filter, causing run failures. GA issue [1].

Disable Docker seccomp filtering since we are in throwable virtual
environment anyway and don't need that protection.

Link: actions/runner-images#3812 [1]
Fixes: lkrg-org#121
Signed-off-by: Vitaly Chikunov <[email protected]>
@Adam-pi3
Copy link
Collaborator Author

Thanks @vt-alt for root-causing it :)

Adam-pi3 pushed a commit that referenced this issue Oct 21, 2021
When target system updated to glibc-2.34 (as for ALT Linux) it starts
to use new syscall `clone3', which is not enabled in Docker seccomp
filter, causing run failures. GA issue [1].

Disable Docker seccomp filtering since we are in throwable virtual
environment anyway and don't need that protection.

Link: actions/runner-images#3812 [1]
Fixes: #121
Signed-off-by: Vitaly Chikunov <[email protected]>
@solardiz solardiz added the testing A testing task or issue (e.g., with CI) label Dec 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
testing A testing task or issue (e.g., with CI)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants