[release/1.2 backport] Pin to libseccomp 2.3.3

[hakman]

Besides the fact that lib seccomp 2.4 has huge performance regressions, it also breaks support for older distros like Debian 9 and RHEL/CentOS 7, as discussed in #4008.
This change pins to 2.3.3 where that is not an issue.

Fixes #4008.

(cherry picked from commits b5f03ea and 75d0c5f)
Signed-off-by: Ciprian Hacman ciprian.hacman@sematext.com

[Zyqsempai]

LGTM

[hakman]

@crosbymichael @thaJeztah seems that something is missing though:

Summarizing 1 Failure:
7110
7111[Fail] [k8s.io] Container runtime should support basic operations on container [It] runtime should support listing container stats [Conformance] 
7112/home/travis/gopath/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/container.go:569
7113
7114Ran 71 of 78 Specs in 49.854 seconds
7115FAIL! -- 70 Passed | 1 Failed | 0 Pending | 7 Skipped
7116
7117
7118Ginkgo ran 1 suite in 49.906109744s
7119Test Suite Failed
7120--- FAIL: TestCRISuite (49.91s)
7121    cri_test.go:130: Failed to run tests in parallel: exit status 1
7122FAIL

[estesp]

I'm at a loss for why there are CRI test failures based on this PR. I don't see that the same things happened in master when libseccomp was pinned. Any ideas @Random-Liu?

[hakman]

Looks like it's not a flake. It consistently fails on:
[Fail] [k8s.io] Container runtime should support basic operations on container [It] runtime should support listing container stats [Conformance]

[cpuguy83]

This doesn't seem like the right comment.

[estesp]

That's a mistake in master from the original commit. I just opened a PR to fix.

[cpuguy83]

Ah on my phone didn't notice this was a backport.

[cpuguy83]

Ah on my phone didn't notice this was a backport.

[hakman]

Fixed the comment also. Thanks :)

[hakman]

@estesp I see the same test failure here: #4024.

[thaJeztah]

Just to confirm; this holds back the version of libseccomp at compile time, so that the binary produced doesn't use the new seccomp_api_set feature, which is needed to allow compiling a binary to be compatible with both systems having libseccomp 2.3 and systems running libseccomp 2.4, correct?

[hakman]

@thaJeztah that is correct.

[thaJeztah]

LGTM

thanks; I know there's been some confusion about this in the past 😅

[hakman]

No problem. Thanks for looking into it. Any thoughts on when a new release could be expected?

[thaJeztah]

No idea yes, but likely soon, to address #4023

[hakman]

Sounds good. Looking forward to see these issues fixed.

[codecov-io]

Codecov Report

Merging #4015 into release/1.2 will increase coverage by 3.18%.
The diff coverage is n/a.

@@               Coverage Diff               @@
##           release/1.2    #4015      +/-   ##
===============================================
+ Coverage           41%   44.19%   +3.18%     
===============================================
  Files               70      100      +30     
  Lines             9537    10847    +1310     
===============================================
+ Hits              3911     4794     +883     
- Misses            5061     5313     +252     
- Partials           565      740     +175

Flag	Coverage Δ
#linux	47.87% <ø> (?)
#windows	41% <ø> (ø)	⬆️

Impacted Files	Coverage Δ
mount/temp_unix.go	0% <0%> (ø)
sys/reaper_linux.go	0% <0%> (ø)
services/server/server_linux.go	0% <0%> (ø)
sys/env.go	100% <0%> (ø)
sys/stat_unix.go	0% <0%> (ø)
runtime/v2/shim/shim_unix.go	0% <0%> (ø)
sys/reaper.go	0% <0%> (ø)
sys/fds.go	0% <0%> (ø)
sys/proc.go	0% <0%> (ø)
sys/mount_linux.go	0% <0%> (ø)
... and 26 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c2383a5...a7c9b76. Read the comment docs.

[hakman]

All tests are passing now, after kubernetes-sigs/cri-tools#574 was merged.

[estesp]

LGTM