-
Notifications
You must be signed in to change notification settings - Fork 886
"Bad system call" in rkt, works in docker #3820
Comments
As the docker image doesn't seem to be publicly accessible, you'll need to strace the |
Good idea on the strace. Here is the rkt trace,
vs the docker trace,
So it seems rkt trace receives SIGSYS when trying to execute So I'm thinking that either that capability is not inherited by bash or the syscall is blocked by seccomp? I'm googling to see whether it is possible to list capabilities / seccomp for a process. |
One thing you can try is executing rkt with
|
Here are the capabilities for the bash running inside rkt,
and for bash inside docker,
where
The main difference with these between rkt and docker is @squeed trying the --seccomp now. |
I looked at rkt/stage1/init/common/seccomp_wildcards.go Line 342 in d91cddd
--seccomp mode=retain,@docker/default-whitelist,keyctl
Any ideas what could be happening? |
The difference here can minimally be reproduced with:
The nspawn list of syscalls here looks related. (Note that in systemd v235, which isn't used by rkt yet, the structure of that code has changed somewhat) I gained a little further evidence for my suspicion that the previous comment is related trying another element on the list:
Another difference here, which probably doesn't matter, is that systemd explicitly creates a new keyring for systemd services nowadays, so the application inside your pod probably got its own keyring, while this wouldn't be the case under docker. I don't think that detail really matters here though. I'm not sure if rkt should be trying to override that behaviour by default since systemd does have a reason for avoiding letting it through... though modelling it more accurately in the |
Actually, after thinking about this a moment longer, I realized the actual difference. The whole nspawn thing seems to be a total red herring. Docker defaults its seccomp filter to If you switch rkt to EPERM via something like I'd bet the application in question handles that just fine since, well, docker is giving an EPERM for the keyctl related calls already. I'm filing a followup about the usability vs security considerations here. |
@euank Thanks for looking at it. I can confirm that |
I'm gonna close this issue in favor of #3823 |
I'm still confused though, who is calling |
The But I'm not sure who is calling |
Environment
What did you do?
Run container and execute
su
,What did you expect to see?
The
su
works with docker out of the box, so I expected it to also work withrkt
.What did you see instead?
I'm looking at switching from docker to rkt. The
su
works in docker, but seems to blocked either by capabilities or seccomp in rkt. I'm not too familiar with these and my google attempt were not helping. How can I figure why it works with docker and fails with rkt?Here is the output of the
rkt run
with--debug
,The text was updated successfully, but these errors were encountered: