RHEL 7 installation regression on 1.5.7: runc: symbol lookup error: runc: undefined symbol: seccomp_api_get

[relyt0925]

When trying to install containerd using the published linux tars on RHEL 7 we get the following error
https://github.com/containerd/containerd/releases/tag/v1.5.7

[root@pres-bvnqjb710uup42eo9ri0-btsprestgbm-mg4c32x-000003bd ~]# runc -h
runc: symbol lookup error: runc: undefined symbol: seccomp_api_get

It has libseccomp-dev installed.

libseccomp-devel-2.3.1-4.el7.x86_64
Package libseccomp-2.3.1-4.el7.x86_64 already installed and latest version

What is the recommended and supported way to install containerd on RHEL 7? Not this dependency was not in existance on the previous containerd 1.5 release

[relyt0925]

Opened new issue since it's unrelated to original post:

Note that containerd 1.4.11 does work from the tar install

[relyt0925]

this is also occuring in 1.5.8 for RHEL 7

[cpuguy83]

The release tars are dynamically linked and built against Ubuntu 18.04.
In order to fix this we would need to build releases for each target distro+version.
We may be able to get away with distro+really old version (instead of every version).

[hzde0128]

the same problem.

[mikebrow]

wave..

Lib libseccomp 2.4 added seccomp_api_get.

#5444

suggested resolution, move up version of libseccomp > 2.4 to provide seccomp_api_get used by runc

[hakman]

We are starting to see this issue in the kOps periodic tests for Debian 10 too. Did not have time to dig deeper, but I assume there is some new package update for libseccomp.
https://testgrid.k8s.io/kops-distros#kops-aws-distro-imagedebian10

[thaJeztah]

suggested resolution, move up version of libseccomp > 2.4 to provide seccomp_api_get used by runc

IIRC, CentOS 7 and RHEL 7 don't have that version yet; see docker/containerd-packaging#112 ((perhaps they did add it later though)

That said; if I'm not mistaken; when compiling against the older version, the new API isn't used, and it's possible to run it on a system that has a newer libseccomp installed (but I don't know if this has other consequences)

[cpuguy83]

Oh I see Ubuntu has added seccomp 2.5, which is possibly what we are compiling against (almost certainly on HEAD).

[relyt0925]

So it seems to me there is a regression:

@mikebrow @thaJeztah just to confirm because it seems like that issue has no movement is there a planned course of action to get containerd working with RHEL 7 or is the community saying they are dropping support for it?

[cpuguy83]

This should fix it: #6447

I would personally advise people to use binaries targeted at their distro, though.

[relyt0925]

So it looks like that issue was closed @cpuguy83 and not merged: My larger point here is it seems like there's suggestions but no official statement on how to install containerd on an operating system like RHEL 7: We cannot use our own runc as the one included in the release tarball overwrites it.......

Are we now going to move to another tarball that doesn't include runc?

[relyt0925]

I do think we need some kind of path for RHEL 7 going forward: it would be a problem from an IBM perspective at least if that support just got dropped without notification. We need to stay on current releases for security reasons and right now we are stuck at 1.4

[DesistDaydream]

Has the 1.1.1 release resolved this issue?

~]# yum info libseccomp
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.bupt.edu.cn
 * extras: mirrors.bupt.edu.cn
 * updates: mirrors.huaweicloud.com
Installed Packages
Name        : libseccomp
Arch        : x86_64
Version     : 2.3.1
Release     : 4.el7
Size        : 297 k
Repo        : installed
From repo   : base
Summary     : Enhanced seccomp library
URL         : https://github.com/seccomp/libseccomp
License     : LGPLv2
Description : The libseccomp library provides an easy to use interface to the Linux Kernel's
            : syscall filtering mechanism, seccomp.  The libseccomp API allows an application
            : to specify which syscalls, and optionally which syscall arguments, the
            : application is allowed to execute, all of which are enforced by the Linux
            : Kernel.

Available Packages
Name        : libseccomp
Arch        : i686
Version     : 2.3.1
Release     : 4.el7
Size        : 53 k
Repo        : base/7/x86_64
Summary     : Enhanced seccomp library
URL         : https://github.com/seccomp/libseccomp
License     : LGPLv2
Description : The libseccomp library provides an easy to use interface to the Linux Kernel's
            : syscall filtering mechanism, seccomp.  The libseccomp API allows an application
            : to specify which syscalls, and optionally which syscall arguments, the
            : application is allowed to execute, all of which are enforced by the Linux
            : Kernel.

~]# ./runc.amd64 -v
runc version 1.1.1
commit: v1.1.0-20-g52de29d7
spec: 1.0.2-dev
go: go1.17.6
libseccomp: 2.5.3

~]# cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)

[AkihiroSuda]

cri-containerd-(cni-)<VERSION>-<OS-<ARCH>.tar.gz is deprecated in containerd 1.6.
https://github.com/containerd/containerd/blob/main/docs/getting-started.md

runc should be now installed separately from https://github.com/opencontainers/runc/releases