New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

seccomp: config provided but seccomp not supported. #18946

Closed
phemmer opened this Issue Dec 29, 2015 · 25 comments

Comments

Projects
None yet
7 participants
@phemmer
Contributor

phemmer commented Dec 29, 2015

Building from current master returns the following error any time any container is started:

# docker run --rm busybox true
seccomp: config provided but seccomp not supported
docker: Error response from daemon: Cannot start container 43f6e217197d8a286cf38bfef0361e2aafc5251d15da5f5850ea9c63caad7f12: [9] System error: seccomp: config provided but seccomp not supported.

daemon logs:

WARN[0005] exit status 1                                
WARN[0005] failed to cleanup ipc mounts:
failed to umount /var/lib/docker/containers/43f6e217197d8a286cf38bfef0361e2aafc5251d15da5f5850ea9c63caad7f12/shm: invalid argument
failed to umount /var/lib/docker/containers/43f6e217197d8a286cf38bfef0361e2aafc5251d15da5f5850ea9c63caad7f12/mqueue: invalid argument 
ERRO[0005] Error unmounting container 43f6e217197d8a286cf38bfef0361e2aafc5251d15da5f5850ea9c63caad7f12: not mounted 
ERRO[0005] Handler for POST /v1.22/containers/43f6e217197d8a286cf38bfef0361e2aafc5251d15da5f5850ea9c63caad7f12/start returned error: Cannot start container 43f6e217197d8a286cf38bfef0361e2aafc5251d15da5f5850ea9c63caad7f12: [9] System error: seccomp: config provided but seccomp not supported 

The package was built without the seccomp build tag. However having it as a build tag implies it is optional, and thus docker should work without it.

# docker version
Client:
 Version:      1.10.0-dev
 API version:  1.22
 Go version:   go1.5.1
 Git commit:   78ce43b
 Built:        Mon Dec 28 22:05:30 2015
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.0-dev
 API version:  1.22
 Go version:   go1.5.1
 Git commit:   78ce43b
 Built:        Mon Dec 28 22:05:30 2015
 OS/Arch:      linux/amd64

# docker info                 
Containers: 4
Images: 55
Server Version: 1.10.0-dev
Storage Driver: btrfs
Execution Driver: native-0.2
Logging Driver: json-file
Plugins: 
 Volume: local
 Network: null host bridge
Kernel Version: 4.0.5-gentoo
Operating System: Gentoo/Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.64 GiB
Name: whistler
ID: 27PU:7FU5:JFWG:62CV:LVZ7:GKDH:5DEC:5I27:QDHP:MNWM:QBY6:BKGR
Username: phemmer
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support

Built from 78ce43b

@phemmer

This comment has been minimized.

Show comment
Hide comment
@phemmer

phemmer Dec 29, 2015

Contributor

Looks like this is being caused by PR #18780
Running from a3ca176 works fine.

Contributor

phemmer commented Dec 29, 2015

Looks like this is being caused by PR #18780
Running from a3ca176 works fine.

@jessfraz

This comment has been minimized.

Show comment
Hide comment
@jessfraz

jessfraz Dec 29, 2015

Contributor

sorry my b i can fix that for unsupported, for now you can also use --security-opt seccomp:unconfined

Contributor

jessfraz commented Dec 29, 2015

sorry my b i can fix that for unsupported, for now you can also use --security-opt seccomp:unconfined

@pdevine

This comment has been minimized.

Show comment
Hide comment
@pdevine

pdevine Dec 29, 2015

I'm running into:

pdevine@clone1:~$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
03f4658f8b78: Pull complete
a3ed95caeb02: Pull complete
Digest: sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
Status: Downloaded newer image for hello-world:latest
conditional filtering requires libseccomp version >= 2.2.1
docker: Error response from daemon: Cannot start container 903af94ae5c57468f9c23b1fc6748d3530eddd99fcce0b3b547ea6edd9b62423: [9] System error: conditional filtering requires libseccomp version >= 2.2.1.

This is on Ubuntu 14.04.3.

pdevine commented Dec 29, 2015

I'm running into:

pdevine@clone1:~$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
03f4658f8b78: Pull complete
a3ed95caeb02: Pull complete
Digest: sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
Status: Downloaded newer image for hello-world:latest
conditional filtering requires libseccomp version >= 2.2.1
docker: Error response from daemon: Cannot start container 903af94ae5c57468f9c23b1fc6748d3530eddd99fcce0b3b547ea6edd9b62423: [9] System error: conditional filtering requires libseccomp version >= 2.2.1.

This is on Ubuntu 14.04.3.

@jessfraz

This comment has been minimized.

Show comment
Hide comment
@jessfraz

jessfraz Dec 29, 2015

Contributor

was this installed from experimental.docker.com, then we probably need to
up the dep for libseccomp

On Mon, Dec 28, 2015 at 9:15 PM, Patrick Devine notifications@github.com
wrote:

I'm running into:

pdevine@clone1:~$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
03f4658f8b78: Pull complete
a3ed95caeb02: Pull complete
Digest:
sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
Status: Downloaded newer image for hello-world:latest
conditional filtering requires libseccomp version >= 2.2.1
docker: Error response from daemon: Cannot start container
903af94ae5c57468f9c23b1fc6748d3530eddd99fcce0b3b547ea6edd9b62423: [9]
System error: conditional filtering requires libseccomp version >= 2.2.1.

This is on Ubuntu 14.04.3.


Reply to this email directly or view it on GitHub
#18946 (comment).

Contributor

jessfraz commented Dec 29, 2015

was this installed from experimental.docker.com, then we probably need to
up the dep for libseccomp

On Mon, Dec 28, 2015 at 9:15 PM, Patrick Devine notifications@github.com
wrote:

I'm running into:

pdevine@clone1:~$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
03f4658f8b78: Pull complete
a3ed95caeb02: Pull complete
Digest:
sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
Status: Downloaded newer image for hello-world:latest
conditional filtering requires libseccomp version >= 2.2.1
docker: Error response from daemon: Cannot start container
903af94ae5c57468f9c23b1fc6748d3530eddd99fcce0b3b547ea6edd9b62423: [9]
System error: conditional filtering requires libseccomp version >= 2.2.1.

This is on Ubuntu 14.04.3.


Reply to this email directly or view it on GitHub
#18946 (comment).

@jessfraz

This comment has been minimized.

Show comment
Hide comment
@jessfraz

jessfraz Dec 29, 2015

Contributor

this is a different issue than the original but ill take care of it

On Mon, Dec 28, 2015 at 9:17 PM, Jessie Frazelle jess@docker.com wrote:

was this installed from experimental.docker.com, then we probably need to
up the dep for libseccomp

On Mon, Dec 28, 2015 at 9:15 PM, Patrick Devine notifications@github.com
wrote:

I'm running into:

pdevine@clone1:~$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
03f4658f8b78: Pull complete
a3ed95caeb02: Pull complete
Digest:
sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
Status: Downloaded newer image for hello-world:latest
conditional filtering requires libseccomp version >= 2.2.1
docker: Error response from daemon: Cannot start container
903af94ae5c57468f9c23b1fc6748d3530eddd99fcce0b3b547ea6edd9b62423: [9]
System error: conditional filtering requires libseccomp version >= 2.2.1.

This is on Ubuntu 14.04.3.


Reply to this email directly or view it on GitHub
#18946 (comment).

Contributor

jessfraz commented Dec 29, 2015

this is a different issue than the original but ill take care of it

On Mon, Dec 28, 2015 at 9:17 PM, Jessie Frazelle jess@docker.com wrote:

was this installed from experimental.docker.com, then we probably need to
up the dep for libseccomp

On Mon, Dec 28, 2015 at 9:15 PM, Patrick Devine notifications@github.com
wrote:

I'm running into:

pdevine@clone1:~$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
03f4658f8b78: Pull complete
a3ed95caeb02: Pull complete
Digest:
sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
Status: Downloaded newer image for hello-world:latest
conditional filtering requires libseccomp version >= 2.2.1
docker: Error response from daemon: Cannot start container
903af94ae5c57468f9c23b1fc6748d3530eddd99fcce0b3b547ea6edd9b62423: [9]
System error: conditional filtering requires libseccomp version >= 2.2.1.

This is on Ubuntu 14.04.3.


Reply to this email directly or view it on GitHub
#18946 (comment).

@pdevine

This comment has been minimized.

Show comment
Hide comment
@pdevine

pdevine Dec 29, 2015

Yep. Through experimental.docker.com.

pdevine commented Dec 29, 2015

Yep. Through experimental.docker.com.

@jessfraz

This comment has been minimized.

Show comment
Hide comment
@jessfraz

jessfraz Dec 29, 2015

Contributor

opened #18949

Contributor

jessfraz commented Dec 29, 2015

opened #18949

@thaJeztah thaJeztah added this to the 1.10 milestone Dec 29, 2015

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Dec 29, 2015

Member

running experimental with seccomp:unconfined doesn't seem to solve all;

root@ubuntu-1gb-ams3-01:~# docker run -d --security-opt seccomp:unconfined nginx
e832e33300594f49fae69b5c4ce86e44028f9dd47893322f7b259d31a2e6dd3a
root@ubuntu-1gb-ams3-01:~# docker logs e832e33300594f49fae69b5c4ce86e44028f9dd47893322f7b259d31a2e6dd3a
nginx: error while loading shared libraries: libpthread.so.0: cannot open shared object file: Permission denied

not sure if it's related to this

Member

thaJeztah commented Dec 29, 2015

running experimental with seccomp:unconfined doesn't seem to solve all;

root@ubuntu-1gb-ams3-01:~# docker run -d --security-opt seccomp:unconfined nginx
e832e33300594f49fae69b5c4ce86e44028f9dd47893322f7b259d31a2e6dd3a
root@ubuntu-1gb-ams3-01:~# docker logs e832e33300594f49fae69b5c4ce86e44028f9dd47893322f7b259d31a2e6dd3a
nginx: error while loading shared libraries: libpthread.so.0: cannot open shared object file: Permission denied

not sure if it's related to this

@jessfraz

This comment has been minimized.

Show comment
Hide comment
@jessfraz

jessfraz Dec 29, 2015

Contributor

That's the same fix as above with libseccomp version I believe

Contributor

jessfraz commented Dec 29, 2015

That's the same fix as above with libseccomp version I believe

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Dec 29, 2015

Member

Cool, I thought I'd better post it, in case it's relevant :)

Member

thaJeztah commented Dec 29, 2015

Cool, I thought I'd better post it, in case it's relevant :)

@tianon

This comment has been minimized.

Show comment
Hide comment
@tianon

tianon Dec 29, 2015

Member

Arg, do we need to do some crazy runtime detection or something? Or is the problem really just that we're linking against too new of a library? The static binaries probably need a solution too, don't they?

Member

tianon commented Dec 29, 2015

Arg, do we need to do some crazy runtime detection or something? Or is the problem really just that we're linking against too new of a library? The static binaries probably need a solution too, don't they?

@jessfraz

This comment has been minimized.

Show comment
Hide comment
@jessfraz

jessfraz Dec 29, 2015

Contributor

ya @tianon i opened this PR but I hope we can get ubuntu trusty and debian jessie to up the version maybe soon? or eventually #18949

Contributor

jessfraz commented Dec 29, 2015

ya @tianon i opened this PR but I hope we can get ubuntu trusty and debian jessie to up the version maybe soon? or eventually #18949

@akamalov

This comment has been minimized.

Show comment
Hide comment
@akamalov

akamalov Feb 22, 2016

Greetings,

Environment:

OS: RHEL 7.2
Kernel: 3.10.0-327.4.4.el7.x86_64
Libseccomp : libseccomp-2.2.1-1.el7.x86_64
Docker Version:
 Client:
 Version:      1.10.0
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   590d5108
 Built:        Thu Feb  4 18:34:50 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.0
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   590d5108
 Built:        Thu Feb  4 18:34:50 2016
 OS/Arch:      linux/amd64

Getting the same error:

seccomp: config provided but seccomp not supported
docker: Error response from daemon: Cannot start container 50e3c58a17b24125a5952abd552b4a661b9dfca1bb5b3f3dae2022dbe3292895: [9] System error: seccomp: config provided but seccomp not supported.

akamalov commented Feb 22, 2016

Greetings,

Environment:

OS: RHEL 7.2
Kernel: 3.10.0-327.4.4.el7.x86_64
Libseccomp : libseccomp-2.2.1-1.el7.x86_64
Docker Version:
 Client:
 Version:      1.10.0
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   590d5108
 Built:        Thu Feb  4 18:34:50 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.0
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   590d5108
 Built:        Thu Feb  4 18:34:50 2016
 OS/Arch:      linux/amd64

Getting the same error:

seccomp: config provided but seccomp not supported
docker: Error response from daemon: Cannot start container 50e3c58a17b24125a5952abd552b4a661b9dfca1bb5b3f3dae2022dbe3292895: [9] System error: seccomp: config provided but seccomp not supported.
@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Feb 22, 2016

Member

@akamalov is that the default version installed on RHEL 7.2? I think the case with CentOS/RHEL 7, OS that 7.0 and 7.1 don't have the required version, so seccomp is not compiled into those packages (we currently don't have separate builds for 7.2)

Member

thaJeztah commented Feb 22, 2016

@akamalov is that the default version installed on RHEL 7.2? I think the case with CentOS/RHEL 7, OS that 7.0 and 7.1 don't have the required version, so seccomp is not compiled into those packages (we currently don't have separate builds for 7.2)

@akamalov

This comment has been minimized.

Show comment
Hide comment
@akamalov

akamalov Feb 23, 2016

Thanks for responding. When you said "CentOS/RHEL 7, OS that 7.0 and 7.1 don't have the required version" , did you mean libseccomp ? If yes, libseccomp-2.2.1-1 is available through 'yum.' I thought 2.2.1 was the minimum requirement.

Thanks again!

Alex

akamalov commented Feb 23, 2016

Thanks for responding. When you said "CentOS/RHEL 7, OS that 7.0 and 7.1 don't have the required version" , did you mean libseccomp ? If yes, libseccomp-2.2.1-1 is available through 'yum.' I thought 2.2.1 was the minimum requirement.

Thanks again!

Alex

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Feb 23, 2016

Member

@akamalov I should check if it's available at 7.0 and 7.1; point is that it's enabled/disabled during compile-time, so if the seccomp build-flag was not present during compile time of the binaries, it won't be available. In the 1.10.2 tag, the seccomp flag is not set for the Dockerfile to build the RPM (see https://github.com/docker/docker/blob/v1.10.2/contrib/builder/rpm/centos-7/Dockerfile#L17), so it won't be available in those RPM's.

I know we originally had this feature enabled for those RPM's but there were issues, so it was removed in this commit: ae54e39. Possibly the situation has changed in the mean-time, in which case we can re-enable in the next release.

ping @jfrazelle perhaps you remember if CentOS/RHEL had an older version of seccomp at that time? According to the discussion above, 2.2.1 is now available on CentOS/RHEL

Member

thaJeztah commented Feb 23, 2016

@akamalov I should check if it's available at 7.0 and 7.1; point is that it's enabled/disabled during compile-time, so if the seccomp build-flag was not present during compile time of the binaries, it won't be available. In the 1.10.2 tag, the seccomp flag is not set for the Dockerfile to build the RPM (see https://github.com/docker/docker/blob/v1.10.2/contrib/builder/rpm/centos-7/Dockerfile#L17), so it won't be available in those RPM's.

I know we originally had this feature enabled for those RPM's but there were issues, so it was removed in this commit: ae54e39. Possibly the situation has changed in the mean-time, in which case we can re-enable in the next release.

ping @jfrazelle perhaps you remember if CentOS/RHEL had an older version of seccomp at that time? According to the discussion above, 2.2.1 is now available on CentOS/RHEL

@akamalov

This comment has been minimized.

Show comment
Hide comment
@akamalov

akamalov Feb 23, 2016

@jfrazelle would it be possible to obtain Docker build with SECCOMP enabled for RHEL 7.2? At this point the company is tightly integrated with RHEL as an OS of choice and we cannot (at this moment) use CoreOS or Debian.

Thanks so much!!!

Alex

akamalov commented Feb 23, 2016

@jfrazelle would it be possible to obtain Docker build with SECCOMP enabled for RHEL 7.2? At this point the company is tightly integrated with RHEL as an OS of choice and we cannot (at this moment) use CoreOS or Debian.

Thanks so much!!!

Alex

@jessfraz

This comment has been minimized.

Show comment
Hide comment
@jessfraz

jessfraz Feb 23, 2016

Contributor

PRs welcome if the rpm for rhel seccomp-dev is of the right version then
it's possible but we don't hold the keys for that

On Tuesday, February 23, 2016, akamalov notifications@github.com wrote:

@jfrazelle https://github.com/jfrazelle would it be possible to obtain
Docker build with SECCOMP enabled for RHEL 7.2? At this point the company
is tightly integrated with RHEL as an OS of choice and we cannot (at this
moment) use CoreOS or Debian.

Thanks so much!!!

Alex


Reply to this email directly or view it on GitHub
#18946 (comment).

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

Contributor

jessfraz commented Feb 23, 2016

PRs welcome if the rpm for rhel seccomp-dev is of the right version then
it's possible but we don't hold the keys for that

On Tuesday, February 23, 2016, akamalov notifications@github.com wrote:

@jfrazelle https://github.com/jfrazelle would it be possible to obtain
Docker build with SECCOMP enabled for RHEL 7.2? At this point the company
is tightly integrated with RHEL as an OS of choice and we cannot (at this
moment) use CoreOS or Debian.

Thanks so much!!!

Alex


Reply to this email directly or view it on GitHub
#18946 (comment).

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Feb 23, 2016

Member

ping @runcom perhaps you'd be able to check? (I know you asked about this as well)

Member

thaJeztah commented Feb 23, 2016

ping @runcom perhaps you'd be able to check? (I know you asked about this as well)

@akamalov

This comment has been minimized.

Show comment
Hide comment
@akamalov

akamalov Feb 23, 2016

Currently for RHEL7.2 (which I am running) there are following SECCOMP libraries available:

> libseccomp-devel-2.1.1-2.el7.i686 : Development files used to build applications with libseccomp support Repo: rhel-x86_64-server-optional-7

> libseccomp-2.1.1-2.el7.x86_64 : Enhanced seccomp library Repo: rhel-x86_64-server-7

Thanks,

Alex

akamalov commented Feb 23, 2016

Currently for RHEL7.2 (which I am running) there are following SECCOMP libraries available:

> libseccomp-devel-2.1.1-2.el7.i686 : Development files used to build applications with libseccomp support Repo: rhel-x86_64-server-optional-7

> libseccomp-2.1.1-2.el7.x86_64 : Enhanced seccomp library Repo: rhel-x86_64-server-7

Thanks,

Alex

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Feb 23, 2016

Member

@akamalov hm 2.1.1, so no 2.2.1 yet?

Member

thaJeztah commented Feb 23, 2016

@akamalov hm 2.1.1, so no 2.2.1 yet?

@akamalov

This comment has been minimized.

Show comment
Hide comment
@akamalov

akamalov Feb 23, 2016

Sorry, my bad. Here is a complete list:

libseccomp-2.2.1-1.el7.x86_64 : Enhanced seccomp library
Repo        : rhel-x86_64-server-7

libseccomp-devel-2.2.1-1.el7.x86_64 : Development files used to build applications with libseccomp support
Repo        : rhel-x86_64-server-optional-7

akamalov commented Feb 23, 2016

Sorry, my bad. Here is a complete list:

libseccomp-2.2.1-1.el7.x86_64 : Enhanced seccomp library
Repo        : rhel-x86_64-server-7

libseccomp-devel-2.2.1-1.el7.x86_64 : Development files used to build applications with libseccomp support
Repo        : rhel-x86_64-server-optional-7

@akamalov

This comment has been minimized.

Show comment
Hide comment
@akamalov

akamalov Feb 25, 2016

So, any way we can get seccomp for RHEL7.2 ???

akamalov commented Feb 25, 2016

So, any way we can get seccomp for RHEL7.2 ???

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Feb 25, 2016

Member

If someone wants to make a pull request to enable it in the builds, I think we can accept that; then it can be made available in the experimental builds

Member

thaJeztah commented Feb 25, 2016

If someone wants to make a pull request to enable it in the builds, I think we can accept that; then it can be made available in the experimental builds

@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83
Contributor

cpuguy83 commented Apr 27, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment