From upstream docker github [1] The issue was found in 20.10.7, the the fix was merged in v20.10.10-rc1 [2] From docker release notes, it was published in version 20.10.10 at 2021-10-25[3]
In ubuntu 20.04.2, the docker version is 20.10.7 (20.10.7-0ubuntu1~20.04.2) [4], From [5], Ubuntu 21.10 and Fedora 35 has the issue [1] https://github.com/moby/moby/issues/42680 [https://opengraph.githubassets.com/a41091aebf5cd0f5794a29a43ef7a6208fa5df0cd2824ada79ffc1b7fb467028/moby/moby/issues/42680]<https://github.com/moby/moby/issues/42680> seccomp filter breaks latest glibc (in fedora rawhide) by blocking clone3 with EPERM · Issue #42680 · moby/moby · GitHub<https://github.com/moby/moby/issues/42680> Client: Version: 20.10.7 API version: 1.41 Go version: go1.16.6 Git commit: f0df350 Built: Mon Jul 26 16:34:29 2021 OS/Arch: linux/amd64 Context: default Experimental ... github.com [2] https://github.com/moby/moby/commit/6835d15f5523063f0a04a86d4810a637c6010d62 [https://opengraph.githubassets.com/232bea6d1440bb915cda2ac46a719e5ee82b3efe10f8d273c2e772d9c12759ad/moby/moby/commit/6835d15f5523063f0a04a86d4810a637c6010d62]<https://github.com/moby/moby/commit/6835d15f5523063f0a04a86d4810a637c6010d62> [20.10] update containerd binary to v1.4.10 · moby/moby@6835d15<https://github.com/moby/moby/commit/6835d15f5523063f0a04a86d4810a637c6010d62> - Update runc to v1.0.2 - Update hcsshim to v0.8.21 - Support "clone3" in default seccomp profile - Fix panic in metadata content writer on copy error Signed-off-by: Sebastiaan van Stijn... github.com [3] https://docs.docker.com/engine/release-notes/#201010 Docker Engine release notes - Docker Documentation<https://docs.docker.com/engine/release-notes/#201010> Docker Engine release notes. This document describes the latest changes, additions, known issues, and fixes for Docker Engine. Note: The client and container runtime are now in separate packages from the daemon in Docker Engine 18.09. Users should install and update all three packages at the same time to get the latest patch releases. docs.docker.com [4] https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1948361 Bug #1948361 “docker.io - error adding seccomp filter rule for s... : Bugs : docker.io package : Ubuntu<https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1948361> Encountered the following error using the docker.io package in focal-proposed running the autotest-client-test/ubuntu_performance_deep_learning test. "docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall clone3: permission denied: unknown." This test essentially pulls down a nvidia tensorflow docker container, runs the container and triggers the preloaded ... bugs.launchpad.net [5] https://pascalroeleven.nl/2021/09/09/ubuntu-21-10-and-fedora-35-in-docker/ Ubuntu 21.10 and Fedora 35 in Docker – Pascal Roeleven<https://pascalroeleven.nl/2021/09/09/ubuntu-21-10-and-fedora-35-in-docker/> Here I am, back again with another post which I think the internet needs. It took me days to figure it out and I can’t imagine there aren’t more people who are running into the same issue. pascalroeleven.nl //Hongxu ________________________________ From: Khem Raj <raj.k...@gmail.com> Sent: Wednesday, February 16, 2022 12:08 PM To: Jia, Hongxu <hongxu....@windriver.com> Cc: Richard Purdie <richard.pur...@linuxfoundation.org>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core] [PATCH v3 1/3] glibc: Upgrade to 2.35 (RFC) [Please note: This e-mail is from an EXTERNAL e-mail address] On Tue, Feb 15, 2022 at 6:28 PM Jia, Hongxu <hongxu....@windriver.com<mailto:hongxu....@windriver.com>> wrote: Hi khem, Upstream glibc reject it because the latest docker has supported it[1], and upstream glibc does not backward compatibility with old docker[2] In order to build Yocto with uninative in old docker, we need this local patch How old is the docker and I assume It’s some distribution needing it ? [1] https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594<https://urldefense.com/v3/__https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594__;!!AjveYdw8EvQ!JrdILWjxfDiWHnl5n9iunsdZlqM0OsXFKtRci3uAgclNV9L6va0Ic-5IjAs7u16jFNv8$> [X]<https://urldefense.com/v3/__https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594__;!!AjveYdw8EvQ!JrdILWjxfDiWHnl5n9iunsdZlqM0OsXFKtRci3uAgclNV9L6va0Ic-5IjAs7u16jFNv8$> seccomp: add support for "clone3" syscall in default policy · moby/moby@9f6b562<https://urldefense.com/v3/__https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594__;!!AjveYdw8EvQ!JrdILWjxfDiWHnl5n9iunsdZlqM0OsXFKtRci3uAgclNV9L6va0Ic-5IjAs7u16jFNv8$> If no seccomp policy is requested, then the built-in default policy in dockerd applies. This has no rule for "clone3" defined, nor any default errno defined. So when runc receives the con... github.com<https://urldefense.com/v3/__http://github.com__;!!AjveYdw8EvQ!JrdILWjxfDiWHnl5n9iunsdZlqM0OsXFKtRci3uAgclNV9L6va0Ic-5IjAs7u_GA6nFS$> [2]https://sourceware.org/pipermail/libc-alpha/2021-August/130590.html<https://urldefense.com/v3/__https://sourceware.org/pipermail/libc-alpha/2021-August/130590.html__;!!AjveYdw8EvQ!JrdILWjxfDiWHnl5n9iunsdZlqM0OsXFKtRci3uAgclNV9L6va0Ic-5IjAs7u54oSjL_$> //Hongxu ________________________________ From: Khem Raj <raj.k...@gmail.com<mailto:raj.k...@gmail.com>> Sent: Wednesday, February 16, 2022 12:17 AM To: Jia, Hongxu <hongxu....@windriver.com<mailto:hongxu....@windriver.com>> Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>>; Richard Purdie <richard.pur...@linuxfoundation.org<mailto:richard.pur...@linuxfoundation.org>> Subject: Re: [OE-core] [PATCH v3 1/3] glibc: Upgrade to 2.35 (RFC) [Please note: This e-mail is from an EXTERNAL e-mail address] On Tue, Feb 15, 2022 at 12:25 AM Jia, Hongxu <hongxu....@windriver.com<mailto:hongxu....@windriver.com>> wrote: > > On 2/9/22 06:53, Khem Raj wrote: > > diff --git > a/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch > > b/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch > deleted file mode 100644 > index 3283dd7ad8a..00000000000 > --- > a/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch > +++ /dev/null > @@ -1,79 +0,0 @@ > -From a8bc44936202692edcd82a48c07d7cf27d6ed8ee Mon Sep 17 00:00:00 2001 > -From: Hongxu Jia <hongxu....@windriver.com<mailto:hongxu....@windriver.com>> > -Date: Sun, 29 Aug 2021 20:49:16 +0800 > -Subject: [PATCH] fix create thread failed in unprivileged process [BZ #28287] > - > -Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 and > clone3] > -applied, start a unprivileged container (docker run without --privileged), > -it creates a thread failed in container. > - > -In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is defined. If > -__clone3 returns -1 with ENOSYS, fall back to clone or clone2. > - > -As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP, > -CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS > -was specified by an unprivileged process (process without CAP_SYS_ADMIN) > - > -[1] > https://man7.org/linux/man-pages/man2/clone3.2.html<https://urldefense.com/v3/__https://man7.org/linux/man-pages/man2/clone3.2.html__;!!AjveYdw8EvQ!JrdILWjxfDiWHnl5n9iunsdZlqM0OsXFKtRci3uAgclNV9L6va0Ic-5IjAs7u3AyFyV8$> > - > -So if __clone3 returns -1 with EPERM, fall back to clone or clone2 could > -fix the issue. Here are the test steps: > - > > Hi RP, > > > I found this local patch was removed from glibc, we have to get it back and > regenerate uninative to avoid the thread creation failure in unprivileged > container > I intentionally dropped it since upstream glibc will not accept this patch since its not glibc problem but rather container runtime problem. Can you investigate that path before we reapply it. Maintaining a rejected patch is last thing we want to do. > > //Hongxu
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161771): https://lists.openembedded.org/g/openembedded-core/message/161771 Mute This Topic: https://lists.openembedded.org/mt/89009276/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
