Hide Forgot
Description of problem: # docker-latest run --rm --security-opt seccomp:`pwd`/seccomp.json rhel7 /bin/bash seccomp: config provided but seccomp not supported docker: Error response from daemon: Cannot start container dd37b2b6828edf55bb264eadd6a99148f1e6353bb765294d63fc48d95d31a16f: [9] System error: seccomp: config provided but seccomp not supported. # rpm -qa | grep libseccomp libseccomp-2.2.1-1.el7.x86_64 libseccomp-devel-2.2.1-1.el7.x86_64 Version-Release number of selected component (if applicable): docker-latest-1.10.3-9.el7.x86_64 How reproducible: always
Lokesh it looks like we are not setting the seccomp build tag. Need to set this just like we turn on SELinux. echo $DOCKER_BUILDTAGS selinux seccomp
Dan, we're gonna need Bug 1325441 sorted to go ahead with this.
Is there any way to build without dockerinit support?
Created attachment 1147776 [details] Lets compile dockerinit as shared and then not ship it. This patch will allow you to compile dockerinit without libseccomp-static and then drop it from the package. We don't support lxc in RHEL anyways and it gets dropped from docker in docker-1.11 anyways.
fixed in upcoming..
Worked fine.
I can reproduce the issue on docker-latest-1.10.3-9.el7.x86_64 w/ libseccomp-2.2.1-1.el7.x86_64, but I can't still successfully start a container after upgrading docker-latest to 1.10.3-10, the details as follows. # cat example.json { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], "syscalls": [ { "name": "accept", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "accept4", "action": "SCMP_ACT_ALLOW", "args": [] } ] } # docker-latest run --security-opt seccomp:`pwd`/example.json rhel7 /bin/bash Unable to find image 'rhel7:latest' locally Trying to pull repository docker.io/library/rhel7 ... Pulling repository docker.io/library/rhel7 95612a3264fc: Pull complete Status: Downloaded newer image for docker.io/rhel7:latest docker.io/library/rhel7: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker. # echo $? 133 # docker-latest ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES fd7b05758e1a rhel7 "/bin/bash" 11 seconds ago Exited (133) 10 seconds ago hopeful_knuth # docker-latest logs fd7b05758e1a NOTE: nothing output CAI Qian, could you help see above question? thanks.
Alex, I think this is a white list of all of the syscalls allowed inside of your container, so it fails to start. You need to add a lot more syscalls.
(In reply to Daniel Walsh from comment #10) > You need to add a lot more syscalls. Daniel, is it enough to use default.json[1], I also gave a try ago, although return value of command is 0, I can't start the container and also no any output in docker-latest logs. [1] https://raw.githubusercontent.com/docker/docker/master/profiles/seccomp/default.json
Alex using the default.json should work.
(In reply to Daniel Walsh from comment #12) > Alex using the default.json should work. Daniel, okay, but I can't start the container, is it an expected result?
Nope, this is a bug.
(In reply to Daniel Walsh from comment #14) > Nope, this is a bug. Daniel, okay, because seccomp config has been supported, I will close this bug and file new bug 1332369 to track above issue.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1057.html