Bug 2053990

Summary: runc has unversioned dependency on libseccomp
Product: Red Hat Enterprise Linux 8 Reporter: Scott Dodson <sdodson>
Component: runcAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Alex Jia <ajia>
Severity: medium Docs Contact:
Priority: unspecified    
Version: ---CC: alancuberoab, dwalsh, jnovy, joyeuxnye, jwakely, kir, lsm5, tsweeney, ypu
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: runc-1.0.3-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 09:14:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Dodson 2022-02-13 19:52:40 UTC 
Description of problem:
Runc fails when libseccomp < 2.5 is installed on a system, such as when installing runc onto a RHEL 8.3 host which already has libseccomp 2.4 installed.


Version-Release number of selected component (if applicable):
runc-3:1.1.0-1.rhaos4.10.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Provision a RHEL 8.3 host, ensure libseccomp 2.4 is installed
2. Install runc-3:1.1.0-1.rhaos4.10.el8.x86_64, podman and friends
3. podman run --rm registry.build03.ci.openshift.org/ci-op-g2j85snf/release@sha256:03540f6edcc4d35c8880ae92cc592cdbdd927f3d767c241f9986dc0908d05ac3 image machine-config-operator

Actual results:
"/usr/bin/runc: symbol lookup error: /usr/bin/runc: undefined symbol: seccomp_notify_respond", 
"time=\"2022-02-10T18:43:20Z\" level=error msg=\"Error removing container fb63b3897f8c9ba0ccb7dc24a70d869ed7a8ffb875686f92720f160a79902fe5 from runtime after creation failed\"", 
"Error: OCI runtime error: /usr/bin/runc: symbol lookup error: /usr/bin/runc: undefined symbol: seccomp_notify_respond"

Expected results:
Successful container running

Additional info:
It seems seccomp_notify_respond was added in 2.5, I'd expect the rpm to depend on libseccomp >= 2.5 to avoid this issue.
Comment 1 Scott Dodson 2022-02-13 19:57:30 UTC 
This report is based upon the output of a failed CI job run, while RHEL 8.4 is a requirement of OCP 4.10, it seems like runc package dependencies should be properly defined to avoid issues like this.

If the rest of the packages installed may be relevant you can find the full package list installed atop RHEL 8.3 in the logs here.
https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_openshift-ansible/12371/pull-ci-openshift-openshift-ansible-release-4.10-e2e-aws-workers-rhel8/1491831412284723200/build-log.txt

Search for "runc-3:1.1.0-1.rhaos4.10.el8.x86_64"
Comment 3 Jindrich Novy 2022-03-03 13:46:31 UTC 
Sounds good, targeting this at the following release.

Can we get qa ack please?
Comment 6 Alex Jia 2022-03-15 09:58:15 UTC 
[root@kvm-08-guest11 ~]# rpm -q libseccomp
libseccomp-2.4.3-1.el8.x86_64

[root@kvm-08-guest11 ~]# yum install http://XXX/rhel-8/packages/runc/1.0.3/3.module+el8.7.0+14440+ed5f482d/x86_64/runc-1.0.3-3.module+el8.7.0+14440+ed5f482d.x86_64.rpm
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Last metadata expiration check: 2:58:54 ago on Tue 15 Mar 2022 02:56:41 AM EDT.
runc-1.0.3-3.module+el8.7.0+14440+ed5f482d.x86_64.rpm                                                                                                          16 MB/s | 3.0 MB     00:00    
Error: 
 Problem: conflicting requests
  - nothing provides libseccomp >= 2.5 needed by runc-1:1.0.3-3.module+el8.7.0+14440+ed5f482d.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
Comment 8 errata-xmlrpc 2022-11-08 09:14:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7457