You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.
The s390x architecture requires an extra seccomp masked_eq rule to allow clone syscalls. This rule is present in cri-o's default configuration, but is missing in the configuration generated by opencontainers/runtime-tools. This causes syscalls to clone to be rejected by seccomp in cri-o subsystems which utilize this generated seccomp profile.
This issue affects the ose-pod container in openshift. When cri-o tries to instantiate /usr/bin/pod on s390x during the openshifft bootstrap, there is a clone syscall in the golang runtime startup which fails with a Permission Denied error. This prevents containers from being instantiated by the bootstrap kubelet, causing the openshift bootstrap to fail.
The text was updated successfully, but these errors were encountered:
The s390x architecture requires an extra seccomp masked_eq rule to allow
clonesyscalls. This rule is present in cri-o's default configuration, but is missing in the configuration generated by opencontainers/runtime-tools. This causes syscalls tocloneto be rejected by seccomp in cri-o subsystems which utilize this generated seccomp profile.This issue affects the ose-pod container in openshift. When cri-o tries to instantiate /usr/bin/pod on s390x during the openshifft bootstrap, there is a
clonesyscall in the golang runtime startup which fails with a Permission Denied error. This prevents containers from being instantiated by the bootstrap kubelet, causing the openshift bootstrap to fail.The text was updated successfully, but these errors were encountered: