Bug 1327679

Summary: seccomp: config provided but seccomp not supported
Product: Red Hat Enterprise Linux 7 Reporter: Qian Cai <qcai>
Component: docker-latestAssignee: Matthew Heon <mheon>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: ajia, amurdaca, dwalsh, mpatel, qcai
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: docker-1.10.3-10.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 14:55:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1325441    
Bug Blocks: 1303656, 1305185    
Attachments:
Description Flags
Lets compile dockerinit as shared and then not ship it. none

Description Qian Cai 2016-04-15 15:42:46 UTC 
Description of problem:
# docker-latest run --rm --security-opt seccomp:`pwd`/seccomp.json rhel7 /bin/bash
seccomp: config provided but seccomp not supported
docker: Error response from daemon: Cannot start container dd37b2b6828edf55bb264eadd6a99148f1e6353bb765294d63fc48d95d31a16f: [9] System error: seccomp: config provided but seccomp not supported.

# rpm -qa | grep libseccomp
libseccomp-2.2.1-1.el7.x86_64
libseccomp-devel-2.2.1-1.el7.x86_64

Version-Release number of selected component (if applicable):
docker-latest-1.10.3-9.el7.x86_64

How reproducible:
always
Comment 2 Daniel Walsh 2016-04-15 16:24:26 UTC 
Lokesh it looks like we are not setting the seccomp build tag. Need to set this just like we turn on SELinux.

echo $DOCKER_BUILDTAGS 
selinux seccomp
Comment 3 Lokesh Mandvekar 2016-04-15 19:42:42 UTC 
Dan, we're gonna need Bug 1325441 sorted to go ahead with this.
Comment 4 Daniel Walsh 2016-04-15 20:50:15 UTC 
Is there any way to build without dockerinit support?
Comment 5 Daniel Walsh 2016-04-15 20:59:56 UTC 
Created attachment 1147776 [details]
Lets compile dockerinit as shared and then not ship it.

This patch will allow you to compile dockerinit without libseccomp-static and then drop it from the package.  We don't support lxc in RHEL anyways and it gets dropped from docker in docker-1.11 anyways.
Comment 6 Lokesh Mandvekar 2016-04-18 16:57:31 UTC 
fixed in upcoming..
Comment 8 Qian Cai 2016-04-19 18:36:23 UTC 
Worked fine.
Comment 9 Alex Jia 2016-04-28 10:03:56 UTC 
I can reproduce the issue on docker-latest-1.10.3-9.el7.x86_64 w/ libseccomp-2.2.1-1.el7.x86_64, but I can't still successfully start a container after upgrading docker-latest to 1.10.3-10, the details as follows.

# cat example.json 
{
        "defaultAction": "SCMP_ACT_ERRNO",
        "architectures": [
                "SCMP_ARCH_X86_64",
                "SCMP_ARCH_X86",
                "SCMP_ARCH_X32"
        ],
        "syscalls": [
                {
                        "name": "accept",
                        "action": "SCMP_ACT_ALLOW",
                        "args": []
                },
                {
                        "name": "accept4",
                        "action": "SCMP_ACT_ALLOW",
                        "args": []
                }
        ]
}

# docker-latest run --security-opt seccomp:`pwd`/example.json rhel7 /bin/bash
Unable to find image 'rhel7:latest' locally
Trying to pull repository docker.io/library/rhel7 ... 
Pulling repository docker.io/library/rhel7
95612a3264fc: Pull complete 
Status: Downloaded newer image for docker.io/rhel7:latest
docker.io/library/rhel7: this image was pulled from a legacy registry.  Important: This registry version will not be supported in future versions of docker.

# echo $?
133

# docker-latest ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                        PORTS               NAMES
fd7b05758e1a        rhel7               "/bin/bash"         11 seconds ago      Exited (133) 10 seconds ago                       hopeful_knuth

# docker-latest logs fd7b05758e1a

NOTE: nothing output


CAI Qian, could you help see above question? thanks.
Comment 10 Daniel Walsh 2016-04-28 12:30:29 UTC 
Alex, I think this is a white list of all of the syscalls allowed inside of your container, so it fails to start.

You need to add a lot more syscalls.
Comment 11 Alex Jia 2016-04-28 13:10:36 UTC 
(In reply to Daniel Walsh from comment #10)
> You need to add a lot more syscalls.

Daniel, is it enough to use default.json[1], I also gave a try ago, although return value of command is 0, I can't start the container and also no any output in docker-latest logs. 

[1] https://raw.githubusercontent.com/docker/docker/master/profiles/seccomp/default.json
Comment 12 Daniel Walsh 2016-04-28 13:56:49 UTC 
Alex using the default.json should work.
Comment 13 Alex Jia 2016-04-28 14:01:18 UTC 
(In reply to Daniel Walsh from comment #12)
> Alex using the default.json should work.

Daniel, okay, but I can't start the container, is it an expected result?
Comment 14 Daniel Walsh 2016-04-29 19:10:35 UTC 
Nope, this is a bug.
Comment 15 Alex Jia 2016-05-03 04:14:01 UTC 
(In reply to Daniel Walsh from comment #14)
> Nope, this is a bug.

Daniel, okay, because seccomp config has been supported, I will close this bug and file new bug 1332369 to track above issue.
Comment 17 errata-xmlrpc 2016-05-12 14:55:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1057.html