Bug 1848078

Summary: Cannot run oci-seccomp-bpf-hook with Podman and Crun with cgroups V2
Product: [Fedora] Fedora Reporter: Scott McCarty <smccarty>
Component: oci-seccomp-bpf-hookAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: jnovy, lsm5, rh.container.bot, vrothber
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: oci-seccomp-bpf-hook-1.1.1-1.fc32 oci-seccomp-bpf-hook-1.1.1-1.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-27 02:06:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott McCarty 2020-06-17 16:06:31 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
100%


Steps to Reproduce:
1. yum install podman oci-seccomp-bpf-hook
2. podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls


Actual results:

[root@fedora ~]# podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls
Error: error executing hook `/usr/libexec/oci/hooks.d/oci-seccomp-bpf-hook` (exit code: 1): OCI runtime error


Expected results:

[root@fedora ~]# podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls
bin
boot
dev
etc
home
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var



Additional info:
It appears to work after you run these command:

yum install bpftrace
bpftrace -e 'BEGIN { printf("hello world\n"); }'
Comment 1 Lokesh Mandvekar 2020-06-17 18:33:47 UTC 
What version of podman are you using btw? 

Seems to work for me on f32 without bpftrace.

lsm5 @ nagato : ~(master) $ podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls
Trying to pull registry.fedoraproject.org/fedora:30...
Getting image source signatures
Copying blob ec1dd3aa5ab3 done  
Copying config c197b0ab77 done  
Writing manifest to image destination
Storing signatures
bin
boot
dev
etc
home
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

lsm5 @ nagato : ~(master) $ rpm -q oci-seccomp-bpf-hook bpftrace podman
oci-seccomp-bpf-hook-1.1.0-2.fc32.x86_64
package bpftrace is not installed
podman-2.0.0-0.2.rc6.fc32.x86_64
Comment 2 Valentin Rothberg 2020-06-18 09:23:33 UTC 
Note that it works on Fedora 32 Workstation but not on Fedora 32 _Server_. 

We made the same observation on the Fedora Cloud images. Curious enough, it works after executing some of the bpftools:

```
[root@localhost ~]# /usr/share/bcc/tools/hardirqs
Tracing hard irq event time... Hit Ctrl-C to end.
^C
HARDIRQ                    TOTAL_usecs
[root@localhost ~]# podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls
bin
boot
dev
etc
home
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
```

Note that it stops working after a reboot.
Comment 3 Valentin Rothberg 2020-06-18 09:50:38 UTC 
Thanks to the mighty Giuseppe Scrivano, we found that `modprobe kheaders` solves the issue. I'll prepare a PR upstream.
Comment 4 Valentin Rothberg 2020-06-18 13:21:44 UTC 
v1.1.1 of the hook has just been released and fixes the issue:
https://github.com/containers/oci-seccomp-bpf-hook/releases/tag/v1.1.1
Comment 5 Fedora Update System 2020-06-18 17:35:12 UTC 
FEDORA-2020-d52fcbe01d has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d52fcbe01d
Comment 6 Fedora Update System 2020-06-18 17:35:40 UTC 
FEDORA-2020-1177983024 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-1177983024
Comment 7 Fedora Update System 2020-06-19 16:15:56 UTC 
FEDORA-2020-1177983024 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-1177983024`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-1177983024

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2020-06-19 21:55:28 UTC 
FEDORA-2020-d52fcbe01d has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-d52fcbe01d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d52fcbe01d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2020-06-27 02:06:28 UTC 
FEDORA-2020-d52fcbe01d has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2020-06-27 03:07:29 UTC 
FEDORA-2020-1177983024 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.