Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Docker fails to start container if certain syscalls are restricted by seccomp #22252
Description of problem: The following syscalls must be provided in the seccomp profile, even if they are not used by the process that is run in the container:
If these are not allowed, the container will fail to run with varying error messages depending on the missing syscall. I'm not familiar with the internals, but I suspect the seccomp profile is applied before the container is set up, and these syscalls are needed for the container set up. For a security model that allows limiting syscalls, it should also be possible to deny these calls if they are not needed by the process that is actually run.
Environment details (AWS, VirtualBox, physical, etc.): Test machine was a VPS from Linode
How reproducible: Very. Just run a container with any of the above syscalls removed from the default docker profile.
Steps to Reproduce:
The seccomp profile which allows only these syscalls is attached:
Expected Results: It should run the
Additional info: I found the list of syscalls that docker needs (in the first paragraph of this report) by removing each syscall in turn from the default profile, and seeing which ones causes a run of
Yes, I did notice that there was an issue with the seccomp profile being applied a little earlier than ideal (ie before setting capabilities and a few other things) when we did the original addition, but it may also have moved around with the
Ok, I have it working with just
There is a slight complication around
referenced this issue
Apr 27, 2016
Ok, I have sent a PR to
This only moves seccomp to after setting capabilities if the
I am having the exact same issue here on a Linode droplet using Ubuntu 16.04.