Bug 2218663

Summary: [abrt] oci-seccomp-bpf-hook: runtime.raise(): oci-seccomp-bpf-hook killed by SIGABRT
Product: [Fedora] Fedora Reporter: xspielinbox+redhat
Component: oci-seccomp-bpf-hookAssignee: Valentin Rothberg <vrothber>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: container-sig, go-sig, gscrivan, jnovy, lsm5, rh.container.bot, vrothber, xspielinbox+redhat
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/e9d36dfa2ffe91aa5ca8854f7235884d7994908
Whiteboard: abrt_hash:61d175b91fe33017f9297f584e38ee5da56a1063;VARIANT_ID=workstation;
Fixed In Version: oci-seccomp-bpf-hook-1.2.10-1.fc38 oci-seccomp-bpf-hook-1.2.10-1.fc37 oci-seccomp-bpf-hook-1.2.10-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-29 01:33:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: proc_pid_status
none
File: maps
none
File: limits
none
File: open_fds
none
File: mountinfo
none
File: os_info
none
File: cpuinfo
none
File: core_backtrace
none
File: dso_list
none
File: backtrace
none
File: environ none

Description xspielinbox+redhat 2023-06-29 18:56:18 UTC 
Description of problem:
I used oci-seccomp-bpf-hook without root (podman run [...] --annotation io.containers.trace-syscall=of:/tmp/seccomp-custom.json [...]).
It then gave me the cryptic error "Error: OCI runtime error: crun: error executing hook `/usr/libexec/oci/hooks.d/oci-seccomp-bpf-hook` (exit code: 1)"
and crashed.

I know, that it does not work without administrative permission, but the error handling could be improved.
It should not crash with insufficient permission, but this should be handled "gracefully" and the error message should perhaps include something that would indicate, what the error could be, e.g. that it has some permissions problems.

Version-Release number of selected component:
oci-seccomp-bpf-hook-1.2.9-1.fc38

Additional info:
reporter:       libreport-2.17.10
type:           CCpp
reason:         oci-seccomp-bpf-hook killed by SIGABRT
journald_cursor: s=9a7a550263b44ce2aae567ae74362384;i=1de052;b=633cd69c786741e2b385c6d8365fddf7;m=56f3e723b;t=5ff48c544934e;x=3805e3d70f08887
executable:     /usr/libexec/oci/hooks.d/oci-seccomp-bpf-hook
cmdline:        oci-seccomp-bpf-hook -r 54024 -o /tmp/seccomp-custom.json -i
cgroup:         0::/user.slice/user-1000.slice/user/user.slice/libpod-conmon-10893be2bbe297589572c3d765953536d4c86aa67c45f9d3e214961ae3ddbfe5.scope
rootdir:        /
uid:            1000
kernel:         6.3.8-200.fc38.x86_64
package:        oci-seccomp-bpf-hook-1.2.9-1.fc38
runlevel:       N 5
backtrace_rating: 4
crash_function: runtime.raise

Truncated backtrace:
Thread no. 1 (22 frames)
 #0 runtime.raise at /usr/lib/golang/src/runtime/sys_linux_amd64.s:154
 #1 runtime.dieFromSignal at /usr/lib/golang/src/runtime/signal_unix.go:879
 #2 runtime.sigfwdgo at /usr/lib/golang/src/runtime/signal_unix.go:1092
 #3 runtime.sigtrampgo at /usr/lib/golang/src/runtime/signal_unix.go:432
 #4 runtime.sigtramp at /usr/lib/golang/src/runtime/sys_linux_amd64.s:354
 #6 runtime.raise at /usr/lib/golang/src/runtime/sys_linux_amd64.s:154
 #7 runtime.dieFromSignal at /usr/lib/golang/src/runtime/signal_unix.go:879
 #8 runtime.crash at /usr/lib/golang/src/runtime/signal_unix.go:971
 #9 runtime.fatalpanic at /usr/lib/golang/src/runtime/panic.go:1168
 #10 runtime.gopanic at /usr/lib/golang/src/runtime/panic.go:987
 #11 runtime.panicmem at /usr/lib/golang/src/runtime/panic.go:260
 #12 runtime.sigpanic at /usr/lib/golang/src/runtime/signal_unix.go:837
 #13 github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc.(*Module).Close.func1 at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc/module.go:155
 #14 github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc.(*Module).Close at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc/module.go:155
 #15 main.runBPFSource.func3 at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/oci-seccomp-bpf-hook.go:223
 #16 runtime.gopanic at /usr/lib/golang/src/runtime/panic.go:890
 #17 runtime.panicmem at /usr/lib/golang/src/runtime/panic.go:260
 #18 runtime.sigpanic at /usr/lib/golang/src/runtime/signal_unix.go:837
 #19 github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc.(*Module).Load at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc/module.go:224
 #20 github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc.(*Module).LoadTracepoint at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc/module.go:205
 #21 main.runBPFSource at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/oci-seccomp-bpf-hook.go:226
 #22 main.main at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/oci-seccomp-bpf-hook.go:84
Comment 1 xspielinbox+redhat 2023-06-29 18:56:21 UTC 
Created attachment 1973238 [details]
File: proc_pid_status
Comment 2 xspielinbox+redhat 2023-06-29 18:56:23 UTC 
Created attachment 1973239 [details]
File: maps
Comment 3 xspielinbox+redhat 2023-06-29 18:56:24 UTC 
Created attachment 1973240 [details]
File: limits
Comment 4 xspielinbox+redhat 2023-06-29 18:56:26 UTC 
Created attachment 1973241 [details]
File: open_fds
Comment 5 xspielinbox+redhat 2023-06-29 18:56:28 UTC 
Created attachment 1973242 [details]
File: mountinfo
Comment 6 xspielinbox+redhat 2023-06-29 18:56:29 UTC 
Created attachment 1973243 [details]
File: os_info
Comment 7 xspielinbox+redhat 2023-06-29 18:56:31 UTC 
Created attachment 1973244 [details]
File: cpuinfo
Comment 8 xspielinbox+redhat 2023-06-29 18:56:33 UTC 
Created attachment 1973245 [details]
File: core_backtrace
Comment 9 xspielinbox+redhat 2023-06-29 18:56:34 UTC 
Created attachment 1973246 [details]
File: dso_list
Comment 10 xspielinbox+redhat 2023-06-29 18:56:36 UTC 
Created attachment 1973247 [details]
File: backtrace
Comment 11 xspielinbox+redhat 2023-06-29 18:56:38 UTC 
Created attachment 1973248 [details]
File: environ
Comment 12 Lokesh Mandvekar 2023-10-19 13:43:33 UTC 
@vrothber I think you're the right assignee for this one.
Comment 13 Valentin Rothberg 2023-10-20 08:54:04 UTC 
Thanks for the ping, Lokesh.

I just cut a new release: https://github.com/containers/oci-seccomp-bpf-hook/releases/tag/v1.2.10
Comment 14 Fedora Update System 2023-10-20 12:26:37 UTC 
FEDORA-2023-b5e4faa25d has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5e4faa25d
Comment 15 Fedora Update System 2023-10-20 12:37:26 UTC 
FEDORA-2023-af4175e2f6 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-af4175e2f6
Comment 16 Fedora Update System 2023-10-20 13:24:42 UTC 
FEDORA-2023-f81f315bef has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f81f315bef
Comment 17 Fedora Update System 2023-10-21 02:27:40 UTC 
FEDORA-2023-b5e4faa25d has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b5e4faa25d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5e4faa25d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 18 Fedora Update System 2023-10-21 02:40:08 UTC 
FEDORA-2023-af4175e2f6 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-af4175e2f6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-af4175e2f6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 19 Fedora Update System 2023-10-21 02:40:46 UTC 
FEDORA-2023-f81f315bef has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f81f315bef`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f81f315bef

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 20 xspielinbox+redhat 2023-10-22 10:23:23 UTC 
thank you!

It does not crash anymore, but it only prints "Error: OCI runtime error: crun: error executing hook `/usr/libexec/oci/hooks.d/oci-seccomp-bpf-hook` (exit code: 1)".
I saw that in https://github.com/containers/oci-seccomp-bpf-hook/pull/121/commits/9ca3f9f7b5d67a7208f07b9f7e456268ae6d634b#diff-54c511f7058b24c50b8b82124335c316c9f83b4c4798200d41a7eb27444acec3R61 there was a better error message added. Where should that show up?
Comment 21 Valentin Rothberg 2023-10-23 06:44:01 UTC 
The new error from the hook will show up in the syslog/journal.  The one you're seeing is outside of the hook's control.

@Giuseppe:  Could crun include stdout/stderr of the hook when it exits non-zero?
Comment 22 xspielinbox+redhat 2023-10-23 09:48:17 UTC 
Ah, yes. In journalctl I can indeed see the message.
Comment 23 Fedora Update System 2023-10-29 01:33:25 UTC 
FEDORA-2023-af4175e2f6 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 24 Fedora Update System 2023-10-29 01:47:07 UTC 
FEDORA-2023-f81f315bef has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 25 Fedora Update System 2023-11-03 18:43:08 UTC 
FEDORA-2023-b5e4faa25d has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 26 Red Hat Bugzilla 2024-03-03 04:25:13 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days