Bug 1328970 - seccomp: config provided but seccomp not supported
Summary: seccomp: config provided but seccomp not supported
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: runc
Version: 7.2
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
: 1322608 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-20 18:38 UTC by Qian Cai
Modified: 2020-07-20 08:13 UTC (History)
3 users (show)

Fixed In Version: runc-0.1.0-3.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-12 15:15:38 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1061 0 normal SHIPPED_LIVE runc bug fix and enhancement update 2016-05-12 19:14:54 UTC

Description Qian Cai 2016-04-20 18:38:02 UTC 
Description of problem:
Looks like we need to build runc with libseccomp again.

# cat config.json
...
        "seccomp": {
            "architectures": [
                "SCMP_ARCH_X86"
            ], 
            "defaultAction": "SCMP_ACT_ALLOW", 
            "syscalls": [
                {
                    "action": "SCMP_ACT_ERRNO", 
                    "name": "getcwd"
                }
            ]
        }
...

#runc start root
seccomp: config provided but seccomp not supported

Version-Release number of selected component (if applicable):
runc-0.1.0-1.el7.x86_64

How reproducible:
always
Comment 1 Qian Cai 2016-04-20 18:54:12 UTC 
I tried the upstream version in master branch (at commit 2441732) works fine on 30 March.
Comment 3 Mrunal Patel 2016-05-03 17:14:28 UTC 
Most likely runc wasn't compiled with the seccomp build tag.

If you pull the repo and run make, it adds seccomp build tag by default.

[root@localhost runc]# make
go build -i -ldflags "-X main.gitCommit=89c3c97a8482f3a57cd4bb683df1a7b2c61405d8" -tags "seccomp" -o runc .

[root@dhcp-16-129 testroot]# tail -n 15 config.json
                                "type": "uts"
                        }
                ],
                "seccomp": {
                        "defaultAction": "SCMP_ACT_ALLOW",
                        "architectures": null,
                        "syscalls": [
                                {
                                        "name": "getcwd",
                                        "action": "SCMP_ACT_ERRNO"
                                }
                        ]
                }
        }
}
[root@dhcp-16-129 testroot]# runc start 1234
sh: getcwd: Operation not permitted
(unknown) # exit
Comment 4 Daniel Walsh 2016-05-03 17:51:47 UTC 
Runc should be being built with 

BUILDTAGS="selinux seccomp"
Comment 5 Lokesh Mandvekar 2016-05-03 18:15:50 UTC 
fix upcoming..
Comment 7 Lokesh Mandvekar 2016-05-04 21:23:39 UTC 
*** Bug 1322608 has been marked as a duplicate of this bug. ***
Comment 9 errata-xmlrpc 2016-05-12 15:15:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1061.html
Note You need to log in before you can comment on or make changes to this bug.