Bug 1961206

Summary: Backport runc fix for faccessat2 handling
Product: Red Hat Enterprise Linux 7 Reporter: Tim Waugh <twaugh>
Component: dockerAssignee: Jindrich Novy <jnovy>
Status: CLOSED WONTFIX QA Contact: atomic-bugs <atomic-bugs>
Severity: urgent Docs Contact:
Priority: high    
Version: 7.9CC: amurdaca, ddarrah, dornelas, fweimer, jnovy, kdudka, kir, lfriedma, lsm5, mbasti, mpatel, tsweeney, v.podzimek+fedora, walters
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-27 02:39:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 7 Jindrich Novy 2021-05-19 15:20:02 UTC 
*** Bug 1962080 has been marked as a duplicate of this bug. ***
Comment 9 Kir Kolyshkin 2021-05-27 02:39:10 UTC 
The workaround is to use the scratch build available from comment #8 above (make sure to download it, as it goes away after some time.

The solution is to switch to OCP4.

The backport is very hard to do (I spent a few hours trying and got nowhere).

As the workaround is available, and it's impossible to have a backport, closing as WONTFIX.
Comment 10 Tim Waugh 2021-05-27 09:23:41 UTC 
Thanks.
Comment 11 Vratislav Podzimek 2021-06-25 12:15:27 UTC 
> The workaround is to use the scratch build available from comment #8 above (make sure to download it, as it goes away after some time.

Could you please share the workaround publicly? I cannot see comment #8 (marked as private, I guess).

> The solution is to switch to OCP4.

Please keep in mind people are using containers on RHEL 7 without OCP or even k8s.
Comment 12 Colin Walters 2021-06-25 13:19:42 UTC 
> Could you please share the workaround publicly? 

The suggested workaround is to disable docker seccomp.

Isn't docker seccomp configurable without patching it?  I think the config file is in `/etc`.
Comment 13 Kir Kolyshkin 2021-06-25 23:26:37 UTC 
> Could you please share the workaround publicly? I cannot see comment #8 (marked as private, I guess).

It was an internal build of the same docker version with seccomp support disabled.

In your case, I think, the best way is to either self-compile a fixed runc version
(1.0.0 is recommended, although you can use 1.0.0-rc93 or any later version), or
use a prebuilt static binary from https://github.com/opencontainers/runc/releases
(look for runc.amd64 file under "Assets"; again, version 1.0.0 is recommended),
AND making sure docker is using your version of runc.
Comment 14 Vratislav Podzimek 2021-07-14 08:39:58 UTC 
Please keep in mind this affects not only docker but also podman and buildah. But do I understand it correctly that they all use runc these days and so newer runc will just fix the issue for all of them? Will it be compatible with the older versions of the tools?
Comment 15 Tom Sweeney 2021-07-14 12:56:31 UTC 
Upgrading runc for the version of Docker on RHEL 7 was not possible.  Unless Kir corrects me, that's the only tool that can not handle the updated runc that has been put into play that contains the fix.  The newer runc does fix the issue in other projects.
Comment 16 Red Hat Bugzilla 2023-09-15 01:06:43 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days