Bug 2040247

Summary: systemd: Unknown system calls should produce ENOSYS under systemd-nspawn
Product: Red Hat Enterprise Linux 8 Reporter: Florian Weimer <fweimer>
Component: systemdAssignee: David Tardon <dtardon>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.5CC: anoopcs, dtardon, jamacku, jpena, systemd-maint-list
Target Milestone: rcKeywords: Bugfix, Reproducer, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: systemd-239-65.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:49:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
probe-system-calls.c none

Description Florian Weimer 2022-01-13 10:03:02 UTC 
Created attachment 1850549 [details]
probe-system-calls.c

Created attachment 1850549 [details]
probe-system-calls.c

Created attachment 1850549 [details]
probe-system-calls.c

The attached program, when running under systemd-container-239-51.el8.x86_64, produces the following output for the arguments “400 430”:

400: -1 (errno 1 [EPERM])
401: -1 (errno 1 [EPERM])
402: -1 (errno 1 [EPERM])
403: -1 (errno 1 [EPERM])
404: -1 (errno 1 [EPERM])
405: -1 (errno 1 [EPERM])
406: -1 (errno 1 [EPERM])
407: -1 (errno 1 [EPERM])
408: -1 (errno 1 [EPERM])
409: -1 (errno 1 [EPERM])
410: -1 (errno 1 [EPERM])
411: -1 (errno 1 [EPERM])
412: -1 (errno 1 [EPERM])
413: -1 (errno 1 [EPERM])
414: -1 (errno 1 [EPERM])
415: -1 (errno 1 [EPERM])
416: -1 (errno 1 [EPERM])
417: -1 (errno 1 [EPERM])
418: -1 (errno 1 [EPERM])
419: -1 (errno 1 [EPERM])
420: -1 (errno 1 [EPERM])
421: -1 (errno 1 [EPERM])
422: -1 (errno 1 [EPERM])
423: -1 (errno 1 [EPERM])
424: -1 (errno 1 [EPERM])
425: -1 (errno 1 [EPERM])
426: -1 (errno 1 [EPERM])
427: -1 (errno 1 [EPERM])
428: -1 (errno 1 [EPERM])
429: -1 (errno 1 [EPERM])
430: -1 (errno 1 [EPERM])

This means that systemd-nspawn breaks various distributions that use newer system calls in glibc. Only ENOSYS triggers fallback, EPERM is treated as a regular system call error.

This causes errors like this one in mock:

Errors during downloading metadata for repository 'fedora':
  - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=x86_64 [getaddrinfo() thread failed to start]
Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=x86_64 [getaddrinfo() thread failed to start]

For mock, the workaround is to use “simple” isolation (not systemd-nspawn). That is, add this line to /etc/mock/site-defaults.cfg:

config_opts['isolation'] = 'simple'

But ideally, this workaround should not be needed.

This appears to have been fixed in Fedora; I don't see these EPERM errors with systemd-container-249.7-2.fc35.x86_64.
Comment 1 Florian Weimer 2022-01-13 10:10:27 UTC 
Bug 1985499 is essentially the same issue for the podman container stack. It was changed to use ENOSYS.
Comment 3 David Tardon 2022-04-21 12:29:44 UTC 
*** Bug 1992708 has been marked as a duplicate of this bug. ***
Comment 4 Plumber Bot 2022-08-18 12:06:01 UTC 
fix merged to github master branch -> https://github.com/redhat-plumbers/systemd-rhel8/pull/286
Comment 8 errata-xmlrpc 2022-11-08 10:49:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (systemd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7727