-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improve seccomp notify #11082
improve seccomp notify #11082
Conversation
ec := make(chan error) | ||
stp := make(chan struct{}) | ||
|
||
handledSyscalls := mapHandler(handler) | ||
go func() { | ||
for { | ||
req, err := libseccomp.NotifReceive(fd) | ||
if err != nil { | ||
if err == syscall.ENOENT { | ||
log.WithError(err).Warn("failed to get notification beucase it has already been not valid anymore(the kernel sets that)") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the purpose of the warning?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The cause may be a query due to this error. This is to track them down.
Incidentally, libseccomp-golang also handles the error separately.
https://github.com/seccomp/libseccomp-golang/blob/c0b6cd81f16769ee69fb39d55016b98f7b232021/seccomp_internal.go#L812-L814
Description
Related Issue(s)
Fixes #9247
Precisely up to the reduction. For some reason seccomp notify is cancelled by the linux kernel. Neither docker-compose nor runc can handle it.
We mitigate it a bit by processing it as quickly as possible.
More detail
seccomp/libseccomp-golang@3879420
How to test
open this repository and works fine
https://github.com/appwrite/integration-for-gitpod
Release Notes
Documentation
Werft options: