Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debian-based images "cannot enable executable stack as shared object requires" #82

Closed
francoislaurent opened this issue Jun 22, 2023 · 4 comments
Closed

Debian-based images "cannot enable executable stack as shared object requires" #82

francoislaurent opened this issue Jun 22, 2023 · 4 comments

Comments

@francoislaurent
Copy link

francoislaurent commented Jun 22, 2023
edited

I am probably filing this issue in the wrong place, but I need pointers and I would appreciate any help.

The problem:

docker run --rm julia:1.9.1-bookworm julia --version
ERROR: Unable to load dependent library /usr/local/julia/bin/../lib/julia/libopenlibm.so
Message:/usr/local/julia/bin/../lib/julia/libopenlibm.so: cannot enable executable stack as shared object requires: Permission denied

Similarly:

docker run --rm julia:1.8.5-bullseye julia --version
julia: error while loading shared libraries: libjulia.so.1: cannot enable executable stack as shared object requires: Permission denied

No earlier than 3 weeks ago, the 1.8.5-bullseye image worked fine. I have updated the host system (openSUSE microOS) multiple times since then. The issue affects Docker, Podman and Buildah (build command). EDIT: ..and Apptainer.

Interestingly, an Alpine-based image still works fine:

docker run --rm julia:1.9.1-alpine3.18 julia --version
julia version 1.9.1

I do not have issues on another OS (Ubuntu:20.04), same Docker version (24.0.2). The kernels are fairly different though:

@microOS>$ uname -r
6.3.7-1-default
@ubuntu>$ uname -r
5.14.0-1048-oem

Another difference I am aware of is nvidia-container-toolkit installed on the microOS system only.

Clearly the issue comes from a common dependency of Docker, Podman and Buildah. EDIT2: Or a new SELinux rule?
I am still confused as to why only Debian-based Julia images are affected. Debian-based Python and Rust images work fine, for example.

Has anyone hit a similar problem on another OS? Should I report this to the openSUSE community?
@yosifkit
Copy link
Member

This sounds similar to docker-library/redis#365 and docker-library/python#837. The default Debian just moved from Bullseye to Bookworm. So the root cause is likely libseccomp: docker-library/python#837 (comment).

You can continue to use the *-bullseye images since for julia, we support and build images for the two latest stable releases of each distribution, so Debian Bookworm and Bullseye and Alpine 3.18 and 3.17.

@francoislaurent
Copy link
Author

Thanks for the pointer. *-bullseye images did not work, though.

I have found a "fix" that consists in running sudo semanage boolean --modify --on selinuxuser_execstack on the host. Of course, I would prefer not to relax host security, nor suggest anyone to do so.

@tianon
Copy link
Member

tianon commented Dec 15, 2023

Sorry for the delay 😭

I guess this is an SELinux denial then? That's not something we can really fix in the image, and I'm not familiar enough with SELinux to suggest a more secure way to bypass this than disabling it as you've done, unfortunately. 😞

@yosifkit
Copy link
Member

Closing since there is not anything that can be done in the image to mitigate an SELinux denial.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @yosifkit @francoislaurent