-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
i386 unstable and testing fail. #97
Comments
Looks like the This is why https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get specifically recommends against using |
That's all nice and easy; problem is the "privileged" instructions are
|
Doh, my bad, sorry! That's a hairy one. Did |
Confirmed it does work with |
Did an
Which is not great, so I redid the same
|
Ah, sorry should've done my research on |
Thanks for that; I didn't know about So I'll be waiting for a 19.03.XX. Hmm, 3.5 months so far. |
The change from moby/moby#40739 should be in the Docker 19.03.9 (and up) release, but I'm also seeing the issue on docker 19.03.12, when running docker on kernel 4.19 (docker desktop). If I run the same on a Ubuntu 20.04 machine (kernel 5.4.0-29-generic, libseccomp2 version 2.4.3-1ubuntu1), it works. I suspect the problem here is the libseccomp version on the host; these syscalls were added in kernel 5.x, and if the host is running an older kernel (and older version of libseccomp), then libseccomp doesn't know about them, and it defaults to blocking unknown syscalls (see moby/moby#40734) |
It looks like the package But the Buster backport Of course, IMO, Docker should be using a profile where unknown system calls return ENOSYS. |
It's possible to provide your own profile to use instead of the default. IIRC, the reason for blocking unknown syscalls by default is to prevent situations where a new, potentially harmful, syscall is added and the profile does not yet take that syscall into account (to either block it or to explicitly allow it). |
@thaJeztah I didn't say that unknown system calls should be allowed. They I agree they should be blocked.
If the kernel knows differently about the last one some sort of logging might be needed; but allowing it is not an option. Thinking about it I don't know that such a profile is possible; but I would expect it to be so because newer versions of syscalls tend to have more/better functionality, so it's very reasonable that the old one is fine but the new one is unsafe and should be blocked quietly so the C library will always fall back. But this is getting off topic! |
To bring this back around to a close, this is an issue with the host, specifically either/both of not quite new enough Docker and/or not quite new enough libseccomp. Specifically:
The latter is probably newer than most host distribution's stable channels have available, although in many cases available via alternative channels (such as Debian's backports). Unfortunately, this is not something we can fix in the image. 😞 |
On an amd64 host run this...
Currently
buster
andbullseye
are still working fine.The text was updated successfully, but these errors were encountered: