RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1327679 - seccomp: config provided but seccomp not supported
Summary: seccomp: config provided but seccomp not supported
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker-latest
Version: 7.2
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Matthew Heon
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On: 1325441
Blocks: docker-1.10 1305185
TreeView+ depends on / blocked
 
Reported: 2016-04-15 15:42 UTC by Qian Cai
Modified: 2016-05-12 14:55 UTC (History)
5 users (show)

Fixed In Version: docker-1.10.3-10.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-12 14:55:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Lets compile dockerinit as shared and then not ship it. (488 bytes, patch)
2016-04-15 20:59 UTC, Daniel Walsh 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:1057 0 normal SHIPPED_LIVE new packages: docker-latest 2016-05-12 18:51:24 UTC

Description Qian Cai 2016-04-15 15:42:46 UTC 
Description of problem:
# docker-latest run --rm --security-opt seccomp:`pwd`/seccomp.json rhel7 /bin/bash
seccomp: config provided but seccomp not supported
docker: Error response from daemon: Cannot start container dd37b2b6828edf55bb264eadd6a99148f1e6353bb765294d63fc48d95d31a16f: [9] System error: seccomp: config provided but seccomp not supported.

# rpm -qa | grep libseccomp
libseccomp-2.2.1-1.el7.x86_64
libseccomp-devel-2.2.1-1.el7.x86_64

Version-Release number of selected component (if applicable):
docker-latest-1.10.3-9.el7.x86_64

How reproducible:
always
Comment 2 Daniel Walsh 2016-04-15 16:24:26 UTC 
Lokesh it looks like we are not setting the seccomp build tag. Need to set this just like we turn on SELinux.

echo $DOCKER_BUILDTAGS 
selinux seccomp
Comment 3 Lokesh Mandvekar 2016-04-15 19:42:42 UTC 
Dan, we're gonna need Bug 1325441 sorted to go ahead with this.
Comment 4 Daniel Walsh 2016-04-15 20:50:15 UTC 
Is there any way to build without dockerinit support?
Comment 5 Daniel Walsh 2016-04-15 20:59:56 UTC 
Created attachment 1147776 [details]
Lets compile dockerinit as shared and then not ship it.

This patch will allow you to compile dockerinit without libseccomp-static and then drop it from the package.  We don't support lxc in RHEL anyways and it gets dropped from docker in docker-1.11 anyways.
Comment 6 Lokesh Mandvekar 2016-04-18 16:57:31 UTC 
fixed in upcoming..
Comment 8 Qian Cai 2016-04-19 18:36:23 UTC 
Worked fine.
Comment 9 Alex Jia 2016-04-28 10:03:56 UTC 
I can reproduce the issue on docker-latest-1.10.3-9.el7.x86_64 w/ libseccomp-2.2.1-1.el7.x86_64, but I can't still successfully start a container after upgrading docker-latest to 1.10.3-10, the details as follows.

# cat example.json 
{
        "defaultAction": "SCMP_ACT_ERRNO",
        "architectures": [
                "SCMP_ARCH_X86_64",
                "SCMP_ARCH_X86",
                "SCMP_ARCH_X32"
        ],
        "syscalls": [
                {
                        "name": "accept",
                        "action": "SCMP_ACT_ALLOW",
                        "args": []
                },
                {
                        "name": "accept4",
                        "action": "SCMP_ACT_ALLOW",
                        "args": []
                }
        ]
}

# docker-latest run --security-opt seccomp:`pwd`/example.json rhel7 /bin/bash
Unable to find image 'rhel7:latest' locally
Trying to pull repository docker.io/library/rhel7 ... 
Pulling repository docker.io/library/rhel7
95612a3264fc: Pull complete 
Status: Downloaded newer image for docker.io/rhel7:latest
docker.io/library/rhel7: this image was pulled from a legacy registry.  Important: This registry version will not be supported in future versions of docker.

# echo $?
133

# docker-latest ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                        PORTS               NAMES
fd7b05758e1a        rhel7               "/bin/bash"         11 seconds ago      Exited (133) 10 seconds ago                       hopeful_knuth

# docker-latest logs fd7b05758e1a

NOTE: nothing output


CAI Qian, could you help see above question? thanks.
Comment 10 Daniel Walsh 2016-04-28 12:30:29 UTC 
Alex, I think this is a white list of all of the syscalls allowed inside of your container, so it fails to start.

You need to add a lot more syscalls.
Comment 11 Alex Jia 2016-04-28 13:10:36 UTC 
(In reply to Daniel Walsh from comment #10)
> You need to add a lot more syscalls.

Daniel, is it enough to use default.json[1], I also gave a try ago, although return value of command is 0, I can't start the container and also no any output in docker-latest logs. 

[1] https://raw.githubusercontent.com/docker/docker/master/profiles/seccomp/default.json
Comment 12 Daniel Walsh 2016-04-28 13:56:49 UTC 
Alex using the default.json should work.
Comment 13 Alex Jia 2016-04-28 14:01:18 UTC 
(In reply to Daniel Walsh from comment #12)
> Alex using the default.json should work.

Daniel, okay, but I can't start the container, is it an expected result?
Comment 14 Daniel Walsh 2016-04-29 19:10:35 UTC 
Nope, this is a bug.
Comment 15 Alex Jia 2016-05-03 04:14:01 UTC 
(In reply to Daniel Walsh from comment #14)
> Nope, this is a bug.

Daniel, okay, because seccomp config has been supported, I will close this bug and file new bug 1332369 to track above issue.
Comment 17 errata-xmlrpc 2016-05-12 14:55:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1057.html
Note You need to log in before you can comment on or make changes to this bug.