Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1327679

Summary: seccomp: config provided but seccomp not supported
Product: Red Hat Enterprise Linux 7 Reporter: Qian Cai <qcai>
Component: docker-latestAssignee: Matthew Heon <mheon>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: ajia, amurdaca, dwalsh, mpatel, qcai
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: docker-1.10.3-10.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 14:55:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1325441    
Bug Blocks: 1303656, 1305185    
Attachments:
Description Flags
Lets compile dockerinit as shared and then not ship it. none

Description Qian Cai 2016-04-15 15:42:46 UTC 
Description of problem:
# docker-latest run --rm --security-opt seccomp:`pwd`/seccomp.json rhel7 /bin/bash
seccomp: config provided but seccomp not supported
docker: Error response from daemon: Cannot start container dd37b2b6828edf55bb264eadd6a99148f1e6353bb765294d63fc48d95d31a16f: [9] System error: seccomp: config provided but seccomp not supported.

# rpm -qa | grep libseccomp
libseccomp-2.2.1-1.el7.x86_64
libseccomp-devel-2.2.1-1.el7.x86_64

Version-Release number of selected component (if applicable):
docker-latest-1.10.3-9.el7.x86_64

How reproducible:
always
Comment 2 Daniel Walsh 2016-04-15 16:24:26 UTC 
Lokesh it looks like we are not setting the seccomp build tag. Need to set this just like we turn on SELinux.

echo $DOCKER_BUILDTAGS 
selinux seccomp
Comment 3 Lokesh Mandvekar 2016-04-15 19:42:42 UTC 
Dan, we're gonna need Bug 1325441 sorted to go ahead with this.
Comment 4 Daniel Walsh 2016-04-15 20:50:15 UTC 
Is there any way to build without dockerinit support?
Comment 5 Daniel Walsh 2016-04-15 20:59:56 UTC 
Created attachment 1147776 [details]
Lets compile dockerinit as shared and then not ship it.

This patch will allow you to compile dockerinit without libseccomp-static and then drop it from the package.  We don't support lxc in RHEL anyways and it gets dropped from docker in docker-1.11 anyways.
Comment 6 Lokesh Mandvekar 2016-04-18 16:57:31 UTC 
fixed in upcoming..
Comment 8 Qian Cai 2016-04-19 18:36:23 UTC 
Worked fine.
Comment 9 Alex Jia 2016-04-28 10:03:56 UTC 
I can reproduce the issue on docker-latest-1.10.3-9.el7.x86_64 w/ libseccomp-2.2.1-1.el7.x86_64, but I can't still successfully start a container after upgrading docker-latest to 1.10.3-10, the details as follows.

# cat example.json 
{
        "defaultAction": "SCMP_ACT_ERRNO",
        "architectures": [
                "SCMP_ARCH_X86_64",
                "SCMP_ARCH_X86",
                "SCMP_ARCH_X32"
        ],
        "syscalls": [
                {
                        "name": "accept",
                        "action": "SCMP_ACT_ALLOW",
                        "args": []
                },
                {
                        "name": "accept4",
                        "action": "SCMP_ACT_ALLOW",
                        "args": []
                }
        ]
}

# docker-latest run --security-opt seccomp:`pwd`/example.json rhel7 /bin/bash
Unable to find image 'rhel7:latest' locally
Trying to pull repository docker.io/library/rhel7 ... 
Pulling repository docker.io/library/rhel7
95612a3264fc: Pull complete 
Status: Downloaded newer image for docker.io/rhel7:latest
docker.io/library/rhel7: this image was pulled from a legacy registry.  Important: This registry version will not be supported in future versions of docker.

# echo $?
133

# docker-latest ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                        PORTS               NAMES
fd7b05758e1a        rhel7               "/bin/bash"         11 seconds ago      Exited (133) 10 seconds ago                       hopeful_knuth

# docker-latest logs fd7b05758e1a

NOTE: nothing output


CAI Qian, could you help see above question? thanks.
Comment 10 Daniel Walsh 2016-04-28 12:30:29 UTC 
Alex, I think this is a white list of all of the syscalls allowed inside of your container, so it fails to start.

You need to add a lot more syscalls.
Comment 11 Alex Jia 2016-04-28 13:10:36 UTC 
(In reply to Daniel Walsh from comment #10)
> You need to add a lot more syscalls.

Daniel, is it enough to use default.json[1], I also gave a try ago, although return value of command is 0, I can't start the container and also no any output in docker-latest logs. 

[1] https://raw.githubusercontent.com/docker/docker/master/profiles/seccomp/default.json
Comment 12 Daniel Walsh 2016-04-28 13:56:49 UTC 
Alex using the default.json should work.
Comment 13 Alex Jia 2016-04-28 14:01:18 UTC 
(In reply to Daniel Walsh from comment #12)
> Alex using the default.json should work.

Daniel, okay, but I can't start the container, is it an expected result?
Comment 14 Daniel Walsh 2016-04-29 19:10:35 UTC 
Nope, this is a bug.
Comment 15 Alex Jia 2016-05-03 04:14:01 UTC 
(In reply to Daniel Walsh from comment #14)
> Nope, this is a bug.

Daniel, okay, because seccomp config has been supported, I will close this bug and file new bug 1332369 to track above issue.
Comment 17 errata-xmlrpc 2016-05-12 14:55:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1057.html