Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runtime/cgo: pthread_create failed: Operation not permitted #467

Closed
michaeljs1990 opened this issue Jun 15, 2023 · 13 comments
Closed

runtime/cgo: pthread_create failed: Operation not permitted #467

michaeljs1990 opened this issue Jun 15, 2023 · 13 comments

Comments

@michaeljs1990
Copy link

michaeljs1990 commented Jun 15, 2023
edited
Loading

All of a sudden today in CI on the docker 1.20 image I am getting this error. In general the OS hasn't mattered to me since I'm not installing anything in the container however over the past week all of these bookworm upgrades have broken multiple things. This has been an absolute pain. I pinned back to bullseye to fix the issue.

runtime/cgo: pthread_create failed: Operation not permitted
SIGABRT: abort
PC=0x7f[29](https://gitlab.com/michaeljs1990/-/jobs/4480933541#L29)9d101ccc m=0 sigcode=18446744073709551610
goroutine 0 [idle]:
runtime: g 0: unknown pc 0x7f299d101ccc
stack: frame={sp:0x7ffc0e570a[30](https://gitlab.com/michaeljs1990/-/jobs/4480933541#L30), fp:0x0} stack=[0x7ffc0dd71eb0,0x7ffc0e570ec0)
0x00007ffc0e570930:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570940:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570950:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570960:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570970:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570980:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570990:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709a0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709b0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709c0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709d0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709e0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709f0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570a00:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570a10:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570a20:  0x0000000000000000  0x00007f299d101cbe 
0x00007ffc0e570a30: <0x0000000000000000  0x723d2808a3ffd900 
0x00007ffc0e570a40:  0x0000000000000006  0x00007f299d075b80 
0x00007ffc0e570a50:  0x0000000000000001  0x00007ffc0e570d00 
0x00007ffc0e570a60:  0x0000000000e69fa0  0x00007f299d0b2ef2 
0x00007ffc0e570a70:  0x00007f299d24ae70  0x00007f299d09d472 
0x00007ffc0e570a80:  0x0000000000000020  0x0000000000000000 
0x00007ffc0e570a90:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570aa0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570ab0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570ac0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570ad0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570ae0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570af0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570b00:  0x00007f299d075b80  0x00007f299d0f480a 
0x00007ffc0e570b10:  0x00007f299d24a840  0x723d2808a3ffd900 
0x00007ffc0e570b20:  0x00007f299d24a840  0x00007f299d24a840 
runtime: g 0: unknown pc 0x7f299d101ccc
stack: frame={sp:0x7ffc0e570a30, fp:0x0} stack=[0x7ffc0dd71eb0,0x7ffc0e570ec0)
0x00007ffc0e570930:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570940:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570950:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570960:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570970:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570980:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570990:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709a0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709b0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709c0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709d0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709e0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e5709f0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570a00:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570a10:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570a20:  0x0000000000000000  0x00007f299d101cbe 
0x00007ffc0e570a30: <0x0000000000000000  0x723d2808a3ffd900 
0x00007ffc0e570a40:  0x0000000000000006  0x00007f299d075b80 
0x00007ffc0e570a50:  0x0000000000000001  0x00007ffc0e570d00 
0x00007ffc0e570a60:  0x0000000000e69fa0  0x00007f299d0b2ef2 
0x00007ffc0e570a70:  0x00007f299d24ae70  0x00007f299d09d472 
0x00007ffc0e570a80:  0x0000000000000020  0x0000000000000000 
0x00007ffc0e570a90:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570aa0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570ab0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570ac0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570ad0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570ae0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570af0:  0x0000000000000000  0x0000000000000000 
0x00007ffc0e570b00:  0x00007f299d075b80  0x00007f299d0f480a 
0x00007ffc0e570b10:  0x00007f299d24a840  0x723d2808a3ffd900 
0x00007ffc0e570b20:  0x00007f299d24a840  0x00007f299d24a840 
goroutine 1 [running]:
runtime.systemstack_switch()
	/usr/local/go/src/runtime/asm_amd64.s:463 fp=0xc000042780 sp=0xc000042778 pc=0x4672c0
runtime.main()
	/usr/local/go/src/runtime/proc.go:170 +0x6d fp=0xc0000427e0 sp=0xc000042780 pc=0x43942d
runtime.goexit()
	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000427e8 sp=0xc0000427e0 pc=0x4694e1
rax    0x0
rbx    0x1
rcx    0x7f299d101ccc
rdx    0x6
rdi    0x1
rsi    0x1
rbp    0x7f299d075b80
rsp    0x7ffc0e570a30
r8     0x0
r9     0x73
r10    0x8
r11    0x246
r12    0x6
r13    0x7ffc0e570d00
r14    0xe69fa0
r15    0x1
rip    0x7f299d101ccc
rflags 0x246
cs     0x[33](https://gitlab.com/michaeljs1990/-/jobs/4480933541#L33)
fs     0x0
gs     0x0
@yosifkit
Copy link
Member

I'd suggest updating docker and libseccomp on the host. Newer base OS's use newer system calls and an older libseccomp can block them since they are unknown to it. You can verify that it is libseccomp by running the bookworm image with --security-opt seccomp=unconfined.

@rizkyekoputra
Copy link

got the same issue using golang:1.20 since yesterday, some of operation not permitted

#16 0.231 make: mkdir: Operation not permitted
#16 0.231 make: /bin/sh: Operation not permitted
#16 0.232 make: pwd: Operation not permitted
#16 0.232 make: cat: Operation not permitted
#16 0.232 make: date: Operation not permitted
#16 0.232 make: git: Operation not permitted
#16 0.232 make: /bin/sh: Operation not permitted
#16 0.232 make: pwd: Operation not permitted
#16 0.233 make: cat: Operation not permitted
#16 0.233 make: date: Operation not permitted
#16 0.233 make: git: Operation not permitted
#16 0.233 make: /bin/sh: Operation not permitted

@jame-developer
Copy link

same issue here with golang:1.20.5 but golang:1.20.5-bullseye is working

@ffjlabo
Copy link

ffjlabo commented Jun 19, 2023

Same issue occured with golang:1.19 👀

Maybe it's because of this fix?
cd60713

@tianon
Copy link
Member

tianon commented Jun 20, 2023

Yep, definitely seccomp failures:

I'd suggest updating docker and libseccomp on the host. Newer base OS's use newer system calls and an older libseccomp can block them since they are unknown to it. You can verify that it is libseccomp by running the bookworm image with --security-opt seccomp=unconfined.

@yosifkit
Copy link
Member

Root cause: it is Docker with libseccomp; a newer syscall used in Debian Bookworm packages/libs is being blocked.

libseccomp lets you configure allowed syscalls for a process. Docker sets a default seccomp profile for all containers such that only certain syscalls are allowed and everything else is blocked (so, newer syscalls that are not yet known to libseccomp or docker are blocked).

  • verify that it is libseccomp by running the Bookworm-based image with --security-opt seccomp=unconfined
  • one fix:
    • update libseccomp and docker on the host running the containers
  • one workaround:
    • switch to the *bullseye images (in the golang images, these will continue to be maintained/updated until the earliest of the respective Golang end of life or the next Debian release, Debian Trixie)

@yosifkit yosifkit mentioned this issue Jun 22, 2023
Closed
@michaeljs1990
Copy link
Author

michaeljs1990 commented Jun 23, 2023
edited
Loading

I'd suggest updating docker and libseccomp on the host. Newer base OS's use newer system calls and an older libseccomp can block them since they are unknown to it. You can verify that it is libseccomp by running the bookworm image with --security-opt seccomp=unconfined.

Sadly we were running a fairly recent OS everywhere except our CI machines. Guess it's time for an upgrade :) thanks for the explanation!

Since this is related to the host machine and not the docker image I'm not sure how relevant this ticket is. I'll leave it open but feel free to close it out since it doesn't seem like their is anything to be done on the docker image side.

@zmarano zmarano mentioned this issue Jun 26, 2023
Merged
@wu0407
Copy link

wu0407 commented Jun 28, 2023

sloved by upgrate to docker 20.10.24

This was referenced Jul 12, 2023
Closed
Closed
@ejain
Copy link

ejain commented Jul 19, 2023

Stuck with an older version of Docker, but switching to a "-bullseye" image (as suggested by @yosifkit above) solved the issue for us (for now).

@eoos

This comment was marked as spam.

Sign in to view
@nikita-vanyasin nikita-vanyasin mentioned this issue Aug 7, 2023
Merged
@jmattheis jmattheis mentioned this issue Sep 1, 2023
Closed
12 tasks
@RainbowDashy RainbowDashy mentioned this issue Oct 31, 2023
Closed
@nilaonai
Copy link

nilaonai commented Nov 1, 2023

it really useful wen is upgrade the docker engine version to the newest.
if you can't upgrade docker or other limitation, you can replace the runtime for the same result.

@ShakeFake

This comment was marked as spam.

Sign in to view
@phdelodder phdelodder mentioned this issue Nov 24, 2023
Open
@llhuii llhuii mentioned this issue Dec 12, 2023
Open
@tianon
Copy link
Member

tianon commented Dec 15, 2023

#467 (comment)

@tianon tianon closed this as completed Dec 15, 2023
@korniltsev korniltsev mentioned this issue Dec 15, 2023
Open
@willdurand willdurand mentioned this issue Jan 9, 2024
Closed
@pablomendezroyo pablomendezroyo mentioned this issue Jan 16, 2024
Merged
@songkq songkq mentioned this issue Jan 25, 2024
Open
5 tasks
@wangeguo wangeguo mentioned this issue Jan 26, 2024
Closed
@jelemux jelemux mentioned this issue Jan 29, 2024
Closed
@vinayakankugoyal vinayakankugoyal mentioned this issue Feb 6, 2024
Merged
4 tasks
@vinayakankugoyal vinayakankugoyal mentioned this issue Feb 21, 2024
Closed
2 tasks
@purelind purelind mentioned this issue Feb 26, 2024
Merged
@juan131 juan131 mentioned this issue Mar 6, 2024
Closed
@ashiqueps ashiqueps mentioned this issue Apr 2, 2024
Merged
11 tasks
@oumkale oumkale mentioned this issue Apr 12, 2024
Open
@bbernhard bbernhard mentioned this issue Apr 18, 2024
Closed
2 tasks
neomorphic added a commit to connectome-neuprint/neuprint-cm that referenced this issue Apr 19, 2024
@neomorphic
Changes GO build parameters and base image.
d2d1d6c 
Had to switch to golang:1.20-bullseye base image and disable CGO in
order to get the images to work on the target host when building on
linux build hosts. See docker-library/golang#467
@purelind purelind mentioned this issue Apr 22, 2024
Draft
@LeNguyenGiaBao LeNguyenGiaBao mentioned this issue May 9, 2024
Open
@yosifkit yosifkit mentioned this issue May 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests