Bug 1784228
Summary: | Whitelist statx(2) in docker | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Yaakov Selkowitz <yselkowi> | ||||
Component: | docker | Assignee: | Jindrich Novy <jnovy> | ||||
Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.7 | CC: | ajia, amurdaca, dapospis, dwalsh, jnovy, lfriedma, lsm5, tborcin, toneata | ||||
Target Milestone: | rc | Keywords: | Extras | ||||
Target Release: | 7.8 | ||||||
Hardware: | s390x | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | docker-1.13.1-152.git4ef4b30.el7_8 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-04-01 00:26:47 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1762578 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Yaakov Selkowitz
2019-12-17 02:18:24 UTC
Created attachment 1645725 [details] Patch for extras-rhel-7.8 As our RPM provides a secconf.json, this dist-git patch should suffice, but it probably would be better to also cherry-pick the upstream fix into our docker sources: https://github.com/moby/moby/commit/f0694e968fe600efdf24ab0d3a1b0e887267aea2 Any chance you can change to Podman? Which comes with update seccomp.json. No, the builders use docker. Patched also the seccomp.json directly in dist-git. All should be good now. This bug has been verified in docker-1.13.1-152.git4ef4b30.el7_8.x86_64 and docker-1.13.1-156.gitcccb291.el7_8.x86_64. 1. docker-1.13.1-152.git4ef4b30.el7_8.x86_64 [root@kvm-08-guest30 ~]# rpm -q docker docker-1.13.1-152.git4ef4b30.el7_8.x86_64 [root@kvm-08-guest30 ~]# grep statx /etc/docker/seccomp.json "statx", [root@kvm-08-guest30 ~]# docker run -ti -u 0 registry.access.redhat.com/rhscl/s2i-base-rhel7 bash bash-4.2# rpm -qa|grep rh-nodejs10 rh-nodejs10-runtime-3.2-3.el7.x86_64 rh-nodejs10-nodejs-10.16.3-4.el7.x86_64 rh-nodejs10-npm-6.9.0-10.16.3.4.el7.x86_64 bash-4.2# scl enable rh-nodejs10 -- npm --version 6.9.0 2. docker-1.13.1-156.gitcccb291.el7_8.x86_64 [root@kvm-08-guest30 ~]# rpm -q docker docker-1.13.1-156.gitcccb291.el7_8.x86_64 [root@kvm-08-guest30 ~]# grep statx /etc/docker/seccomp.json "statx", [root@kvm-08-guest30 ~]# docker run -ti -u 0 registry.access.redhat.com/rhscl/s2i-base-rhel7 bash bash-4.2# rpm -qa|grep rh-nodejs10 rh-nodejs10-runtime-3.2-3.el7.x86_64 rh-nodejs10-nodejs-10.16.3-4.el7.x86_64 rh-nodejs10-npm-6.9.0-10.16.3.4.el7.x86_64 bash-4.2# scl enable rh-nodejs10 -- npm --version 6.9.0 Also verified in docker-1.13.1-161.git64e9980.el7_8.x86_64. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1234 |