Hi, Detlef,
runc 1.3.3 introduced openat2 usage (via an updated securejoin library)
for security hardening. Since openat2 has been available since Linux 5.6
(2020), your kernel (6.17.8) almost certainly supports it.
The likely culprit is your custom seccomp profile. You're passing
--security-opt "seccomp=$HOME/cfg/docker-cfg.json". If that profile was
created for an older runc, it probably doesn't include openat2 in the
allowed syscall list -- seccomp would then block it and return "function
not implemented".
Quick test: Remove the --security-opt seccomp=... line from your docker
run command. If the container starts, the seccomp profile is the
problem.
Fix: Add openat2 to the allowed syscalls in your docker-cfg.json:
{"names": ["openat2"], "action": "SCMP_ACT_ALLOW"}
Downgrading to runc 1.3.2 works around the issue because that version didn't
use openat2.
Let me know if that is indeed the case.
Best,
-rt
