Bug 2034209

Summary: Seccomp rules break F35 container DNS resolution
Product: Red Hat Enterprise Linux 7 Reporter: Pavel Raiskup <praiskup>
Component: podmanAssignee: Paul Holzinger <pholzing>
Status: CLOSED WONTFIX QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.9CC: bbaude, dwalsh, fweimer, gscrivan, jligon, jnovy, lsm5, mharri, mheon, ngompa13, pholzing, tsweeney, umohnani
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-26 17:51:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Raiskup 2021-12-20 12:05:55 UTC 
Seems related to: https://github.com/containers/buildah/issues/2168
(or is very similar)

When we run `mock -r fedora-35-x86_64 --shell`, DNF process in
`podman run` fails with:
```
Fedora 35 - x86_64                              0.0  B/s |   0  B     00:00    
Errors during downloading metadata for repository 'fedora':
  - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-35&arch=x86_64 [getaddrinfo() thread failed to start]
```

What we do in Mock is just `podman start` and `podman exec`, without
--privileged option as non-root user.

Can the seccomp rules be updated to fix DNS resolution newer images?
Comment 3 Neal Gompa 2021-12-20 12:11:48 UTC 
This also affects Docker on RHEL 7 too.
Comment 4 Pavel Raiskup 2021-12-20 13:01:01 UTC 
> What we do in Mock is just `podman start` and `podman exec`, without
> --privileged option as non-root user.

I checked once more, and we are running it as the root user (bad).  Nevertheless,
I tested that both root/non-root scenario manually and it behaves the same.
Comment 5 Tom Sweeney 2021-12-22 21:33:59 UTC 
Paul, can  you take a look at this please?
Comment 7 Giuseppe Scrivano 2022-02-24 13:43:28 UTC 
I think it also requires an update in libseccomp which is unlikely to happen in 7.9.

We have a definitive fix for this issue in RHEL 8 but it touches few components and it won't be backported to RHEL 7.

Could you just disable seccomp for F35 containers with `--security-opt seccomp=unconfined`?
Comment 8 Tom Sweeney 2022-02-24 15:37:27 UTC 
@praiskup please see https://bugzilla.redhat.com/show_bug.cgi?id=2034209#c7
Comment 9 Pavel Raiskup 2022-02-25 08:33:15 UTC 
I think we could turn off seccomp for all images, not only F35?
https://github.com/rpm-software-management/mock/pulls
Comment 10 Pavel Raiskup 2022-02-25 08:33:37 UTC 
I mean: https://github.com/rpm-software-management/mock/pull/872
Comment 11 Giuseppe Scrivano 2022-02-25 09:00:48 UTC 
better not disable seccomp by default, just do that on RHEL7 when using Fedora35+ images with an updated glibc.

On RHEL 8 there is no need to disable seccomp because ENOSYS will be returned for syscalls unknown to the seccomp profile.
Comment 12 Daniel Walsh 2022-02-26 17:51:10 UTC 
There will be no back ported fixes for RHEL7.  It no longer gets updated.  Disable seccomp or update to RHEL 8 is the only option.