rkt run hangs on docker://julia

[tesujimath]

Our users would really like to run Julia as a container. It works fine when run by docker, but rkt just hangs. Need to kill-9 the rkt run process.

Environment

rkt Version: 1.25.0
appc Version: 0.8.10
Go Version: go1.7.4
Go OS/Arch: linux/amd64
Features: -TPM +SDJOURNAL
--
Linux 3.10.0-514.10.2.el7.x86_64 x86_64
--
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
--
systemd 219
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN

What did you do?

inscrutable$ docker run -v /home/guestsi:/home/guestsi julia ~/playpen/julia/hello-world.jl 
hello Julia world!

inscrutable# /usr/bin/rkt --insecure-options=image run --net=host --volume home,kind=host,source=/home/guestsi docker://julia --mount volume=home,target=/home/guestsi --user=511 --group=511 -- /home/guestsi/playpen/julia/hello-world.jl

(hangs)

What did you expect to see?

hello Julia world!

What did you see instead?

nothing, it hangs until kill -9

[tesujimath]

I just noticed slightly different behaviour. The rkt run command still hangs, but is now responsive to ctrl-C, and doesn't need kill -9 to interrupt it.

Sorry, this isn't very satisfactory, but I can't determine what I am doing differently from before when it needed kill -9. (I tried for some time to reproduce the previous behaviour, but couldn't.)

So, it's not as bad now, in that ctrl-C works to kill it. But it still hangs, and doesn't produce any output.

Any ideas?

[tesujimath]

Ah I see, it's a timing thing. It responds to ctrl-C in the first few seconds, but not subsequently. I presume this is to do with the various stages of bootstrapping the container. So the previous comment is probably a red herring.

[squeed]

Hi there,
You can always quit a running container by pressing ctl-] three times in quick succession. The reason ctl-C works in the first few seconds is that it kills the rkt preparation process rather than the container.

I did a quick test, and was able to run Julia by disabling seccomp:

# rkt run --interactive --insecure-options=seccomp docker://julia
...
julia>

By running julia locally with strace, I got the list of syscalls in a trival Julia execution:

echo | strace -f -c julia

They all looked pretty normal except mbind, so I added that to the default allow list and Julia worked!

# rkt run --interactive docker://julia --seccomp mode=retain,@docker/default-whitelist,mbind
...
julia> 

We definitely don't want to add mbind to the list of allowed syscalls, so I'm not sure there are any changes to be made to rkt.

HTH!
--Casey

[tesujimath]

Hi Casey,

That works perfectly, thanks, very much appreciated! All resolved now.

cheers,
Simon