Hi Reinhart, thanks for looking into this.
On Mon, 06 Apr 2026 21:17:00 -0400 Reinhard Tartler <[email protected]> wrote: > runc 1.3.3 introduced openat2 usage (via an updated securejoin library) > for security hardening. Since openat2 has been available since Linux 5.6 > (2020), your kernel (6.17.8) almost certainly supports it. > > The likely culprit is your custom seccomp profile. You're passing > --security-opt "seccomp=$HOME/cfg/docker-cfg.json". If that profile was > created for an older runc, it probably doesn't include openat2 in the > allowed syscall list -- seccomp would then block it and return "function > not implemented". > > Quick test: Remove the --security-opt seccomp=... line from your docker > run command. If the container starts, the seccomp profile is the > problem. Will do. However I just started a trip and will only be back in my office end of next week. I will report then. Thanks again, Detlef > > Fix: Add openat2 to the allowed syscalls in your docker-cfg.json: > > {"names": ["openat2"], "action": "SCMP_ACT_ALLOW"} > > Downgrading to runc 1.3.2 works around the issue because that version didn't > use openat2. > > Let me know if that is indeed the case. > > Best, > -rt
