Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't run docker image from another arhitecture on Ubuntu 21.10 (qemu: qemu_thread_create: Operation not permitted) #42963

Closed
bozaro opened this issue Oct 24, 2021 · 7 comments · Fixed by #42681
Closed

Can't run docker image from another arhitecture on Ubuntu 21.10 (qemu: qemu_thread_create: Operation not permitted) #42963

bozaro opened this issue Oct 24, 2021 · 7 comments · Fixed by #42681
Labels
area/security/seccomp version/20.10

Comments

@bozaro
Copy link

bozaro commented Oct 24, 2021
edited
Loading

Description

Can't run docker image from another arhitecture on Ubuntu 21.10 (Ubuntu 21.04 works correctly).

Executing binaries for another arhitecture without docker works correctly.

Steps to reproduce the issue:

  1. Install Ubuntu 21.10 without any specific settings
  2. Install docker (https://docs.docker.com/engine/install/ubuntu/)
  3. Install qemu user static (apt install qemu-user-static)
  4. Run docker image for another platform (docker run --rm -it --platform arm64 alpine arch)

Describe the results you received:
Docker container is not started with Operation not permitted error:

$ docker run --rm -it --platform arm64 alpine arch
qemu: qemu_thread_create: Operation not permitted

Describe the results you expected:
Expected result (same as on Ubuntu 21.04):

$ docker run --rm -it --platform arm64 alpine arch
aarch64

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client: Docker Engine - Community
 Version:           20.10.9
 API version:       1.41
 Go version:        go1.16.8
 Git commit:        c2ea9bc
 Built:             Mon Oct  4 16:08:41 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.9
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.8
  Git commit:       79ea9d3
  Built:            Mon Oct  4 16:06:48 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.11
  GitCommit:        5b46e404f6b9f661a205e28d59c982d3634148f8
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.6.3-docker)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 33
  Running: 0
  Paused: 0
  Stopped: 33
 Images: 379
 Server Version: 20.10.9
 Storage Driver: btrfs
  Build Version: Btrfs v5.10.1 
  Library Version: 102
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 5b46e404f6b9f661a205e28d59c982d3634148f8
 runc version: v1.0.2-0-g52b36a2
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.13.0-20-generic
 Operating System: Ubuntu 21.10
 OSType: linux
 Architecture: x86_64
 CPUs: 12
 Total Memory: 62.75GiB
 Name: landfill
 ID: BMSR:XZKM:OBJM:EGUZ:AA6P:IFDP:YSLW:DITV:JQDF:SX5P:NI5K:EI7J
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: bozaro
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):
Physical workstation (Intel i7-8700K) with fresh Ubuntu 21.10 installation.

uname -a
Linux landfill 5.13.0-20-generic #20-Ubuntu SMP Fri Oct 15 14:21:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
@thaJeztah
Copy link
Member

Not sure if this is an issue with docker or an issue with qemu. Does it work if you start the container with seccomp disabled (--security-opt seccomp=unconfined )?

@bozaro
Copy link
Author

bozaro commented Oct 26, 2021
edited
Loading

Does it work if you start the container with seccomp disabled (--security-opt seccomp=unconfined)?

Yes. It is working:

~ docker run --rm -it --platform arm64 alpine arch                                  
qemu: qemu_thread_create: Operation not permitted
~ docker run --rm -it --platform arm64 --security-opt seccomp=unconfined alpine arch
aarch64

@bozaro
Copy link
Author

bozaro commented Oct 26, 2021

I upgraded Docker to version 20.10.10 today (was 20.10.9) and the problem is no longer reproducible.
Maybe it was fixed by #42836

@thaJeztah
Copy link
Member

Thanks for testing, and yes, #42836 was the issue I was thinking of, and looks to be confirmed by your steps to disable seccomp (and the upgrade to 20.10.10)

From the above, it looks like this is resolved in 20.10.10, so let me close this one, thanks!

This was referenced Oct 26, 2021
Merged
Merged
umarcor added a commit to dbhi/qus that referenced this issue Oct 30, 2021
@umarcor
temporarily use security-opt
7cf95a0 
QEMU 6.1.0 fails with Docker 20.10.9. It is fixed in Docker 20.10.10.

* moby/moby#42963
* moby/moby#42836
umarcor added a commit to dbhi/qus that referenced this issue Oct 30, 2021
@umarcor
ci: print docker version
4758983 
Fedora containers fail with QEMU 6.1.0 and Docker 20.10.9.
It can be worked around with option '--security-opt seccomp=unconfined',
but that is not allowed on GitHub Actions.
Anyway, it is fixed in Docker 20.10.10.

* moby/moby#42963
* moby/moby#42836
@ell1e
Copy link

ell1e commented Oct 31, 2021

How can this be worked around for docker build?

@thaJeztah
Copy link
Member

@ell1e I think this should be fixed for docker build as well in 20.10.10; are you still seeing this problem with docker 20.10.10?

@ell1e
Copy link

ell1e commented Nov 1, 2021

Red Hat currently ships 20.10.9 still, so that information just isn't very useful to me right now. And attempting security-opt with docker build just gives an error that it's not supported for that.

umarcor added a commit to dbhi/qus that referenced this issue Nov 25, 2021
@umarcor
ci: print docker version
cd824a1 
Fedora containers fail with QEMU 6.1.0 and Docker 20.10.9.
It can be worked around with option '--security-opt seccomp=unconfined',
but that is not allowed on GitHub Actions.
Anyway, it is fixed in Docker 20.10.10.

* moby/moby#42963
* moby/moby#42836
@thaJeztah thaJeztah mentioned this issue Mar 7, 2022
Closed
@Enchufa2 Enchufa2 mentioned this issue Aug 29, 2022
Closed
@evantahler evantahler mentioned this issue Oct 11, 2022
Merged
@dev590t dev590t mentioned this issue Mar 4, 2023
Open
@kroese kroese mentioned this issue Jan 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security/seccomp version/20.10
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

seccomp: add support for "clone3" syscall in default policy berrange/moby
3 participants
@thaJeztah @bozaro @ell1e