Docker seccomp policy incompatible with glibc 2.34

[fweimer-rh]

Description

glibc 2.34 will try to use clone3 if available to enable hardware-assisted security hardening on recent x86-64 CPUs. Presently this does not work in Azure DevOps and Github Actions because the clone3 system call is blocked by seccomp policy.

This issue may have been introduced by a Moby update to a version that includes moby/moby#41889. Before that, the ENOSYS kludge added in opencontainers/runc#2750 should have prevent this failure.

For actions that run docker create, it is possible to workaround this by specifying --security-opt seccomp=unconfined, but no such option exists for docker build for some reason. (See moby/moby#34454.)

Virtual environments affected

• Ubuntu 16.04
• Ubuntu 18.04
• Ubuntu 20.04
• macOS 10.15
• macOS 11
• Windows Server 2016
• Windows Server 2019

Image version and build link

Azure DevOps

Environment: ubuntu-20.04
Version: 20210718.1
Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20210718.1/images/linux/Ubuntu2004-README.md
Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20210718.1
Current image version: '20210718.1'
Agent running as: 'vsts'

https://dev.azure.com/dnceng/public/_build/results?buildId=1259364&view=logs&j=91749cbd-6d9d-54ec-5351-cfcf55a8b75c&t=8f482fb7-2227-41c9-9817-1c0d425d6aed&l=6

Github Actions

   Environment: ubuntu-20.04
  Version: 20210718.1
  Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20210718.1/images/linux/Ubuntu2004-README.md
  Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20210718.1

https://github.com/freeipa/freeipa-container/runs/3163951309

Is it regression?

No response

Expected behavior

clone3 should succeed or fail with ENOSYS. In the latter case, glibc will transparently use a fallback mechanism

Actual behavior

clone3 fails with EPERM, causing thread creation to fail.

Typical error messages for Fedora are:

Errors during downloading metadata for repository 'rawhide':
  - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=x86_64 [getaddrinfo() thread failed to start]

Or with the Python reproducer below:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python3.10/threading.py", line 928, in start
    _start_new_thread(self._bootstrap, ())
RuntimeError: can't start new thread

Repro steps

For testing purposes, Fedora rawhide (registry.fedoraproject.org/fedora:rawhide) already contains a glibc 2.34 snapshot which uses clone3 (with a fallback to clone if clone3 fails with ENOSYS). For example, this command should print 123:

$ docker run registry.fedoraproject.org/fedora:rawhide python3 -c 'import threading; threading.Thread(None, lambda: print(123)).start()'
123

EDIT Command fixed to use the Fedora registry.

[Darleev]

Hello @fweimer-rh,
We will investigate this issue.

[omajid]

@wfurt @mthalman @MichaelSimons this is the issue that we were seeing in dotnet/dotnet-buildtools-prereqs-docker#484

[dsame]

@fweimer-rh the repro build prints 123
https://github.com/dsame/actions-demo/runs/3200712143?check_suite_focus=true

In my understanding this means the docker implementation currently used by github actions on ubuntu 20.04 allows glibc 2.34 bundled with the fedora:rawhide handles clone3 return code in the proper way.

Can you please clarify what pipeline problem we expected to fix from out side?

[fweimer-rh]

Sorry about that. It looks like your docker binary does not do alias matching for fedora, so it goes to the Docker hub, where fedora:rawhide is something else (presumably mirrored from the Fedora registry occasionally). Try this command instead:

docker run registry.fedoraproject.org/fedora:rawhide python3 -c 'import threading; threading.Thread(None, lambda: print(123)).start()'

Perhaps also log the glibc version to be sure:

docker run registry.fedoraproject.org/fedora:rawhide rpm -q glibc

[dsame]

@fweimer-rh
ok, but it is still unclear what should be done from the github actions side.

Firstly the snipped can be modified to run
docker run --security-opt seccomp=unconfined registry.fedoraproject.org/fedora:rawhide python3 -c 'import threading; threading.Thread(None, lambda: print(123)).start()'

Do you want us to change default seccomp profile? Should not this request to be addressed to Moby team? Honestly i can hardly imagine how we can change the docker virtualisation model from the moby codebase outside.

[fweimer-rh]

--security-opt seccomp=unconfined is not available for the docker build command, so users can't really work around this. The system-wide policy has to be changed for that.

I noticed that you do not use the docker.io packages from Ubuntu, so I assumed you were crafting your own thing.

[dsame]

@fweimer-rh github actions used moby "as is" without further tweaking

https://github.com/actions/virtual-environments/blob/main/images/linux/scripts/installers/docker-moby.sh

This is why it would be more efficient to address the issue to the Moby team: https://github.com/moby/moby/issues

[fweimer-rh]

@dsame The script doesn't show the repository being used, and some log output contains a +azure marker in version strings.

Anyway, based on what you are saying, the images should inherit the fix in moby/moby#42680 in due course then? Thanks!

[dsame]

@fweimer-rh yes, of course, the PR merged into the moby repo is to be deployed to the azure actions images

[gotmax23]

Would it be possible to backport the aforementioned PR into the Azure Moby package that Github Runners use?

[junghans]

Same issue now on ubuntu:devel (e.g. see https://github.com/kokkos/ci-containers/runs/3628868286)

[vt-alt]

Docker images with distributions which contain glibc-2.34 just doesn't work on GA.
Where should we report if not here?

[pascallj]

@vt-alt The problem is well known by now and there is no need to bug the developers anymore. A fix is in the pipeline for Docker.

Your distro maintainer might include a temporary fix for Glibc like Ubuntu has done with Ubuntu Impish. But rolling distros tend to not do those things. It isn't their problem anyway.

And if you want to run your GitHub Actions with a Ubuntu 20.04 or 21.04 base and a Docker image which isn't patched, there are some (temporary) solutions posted in the comments above and in the linked issues.

[gotmax23]

@vt-alt The problem is well known by now and there is no need to bug the developers anymore. A fix is in the pipeline for Docker.

I already submitted a patch for Fedora's moby-engine packages2, and I believe @pascallj has done the same for Ubuntu's packages. I asked Github to patch their Docker packages about a month and a half ago1. There's not much I can do, because Github uses different Docker packages that are provided by Microsoft.

Thanks,
Maxwell

[vt-alt]

@pascallj @gotmax23 Thanks, that's good to know!