Description of problem: Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. yum install podman oci-seccomp-bpf-hook 2. podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls Actual results: [root@fedora ~]# podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls Error: error executing hook `/usr/libexec/oci/hooks.d/oci-seccomp-bpf-hook` (exit code: 1): OCI runtime error Expected results: [root@fedora ~]# podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var Additional info: It appears to work after you run these command: yum install bpftrace bpftrace -e 'BEGIN { printf("hello world\n"); }'
What version of podman are you using btw? Seems to work for me on f32 without bpftrace. lsm5 @ nagato : ~(master) $ podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls Trying to pull registry.fedoraproject.org/fedora:30... Getting image source signatures Copying blob ec1dd3aa5ab3 done Copying config c197b0ab77 done Writing manifest to image destination Storing signatures bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var lsm5 @ nagato : ~(master) $ rpm -q oci-seccomp-bpf-hook bpftrace podman oci-seccomp-bpf-hook-1.1.0-2.fc32.x86_64 package bpftrace is not installed podman-2.0.0-0.2.rc6.fc32.x86_64
Note that it works on Fedora 32 Workstation but not on Fedora 32 _Server_. We made the same observation on the Fedora Cloud images. Curious enough, it works after executing some of the bpftools: ``` [root@localhost ~]# /usr/share/bcc/tools/hardirqs Tracing hard irq event time... Hit Ctrl-C to end. ^C HARDIRQ TOTAL_usecs [root@localhost ~]# podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var ``` Note that it stops working after a reboot.
Thanks to the mighty Giuseppe Scrivano, we found that `modprobe kheaders` solves the issue. I'll prepare a PR upstream.
v1.1.1 of the hook has just been released and fixes the issue: https://github.com/containers/oci-seccomp-bpf-hook/releases/tag/v1.1.1
FEDORA-2020-d52fcbe01d has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d52fcbe01d
FEDORA-2020-1177983024 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-1177983024
FEDORA-2020-1177983024 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-1177983024` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-1177983024 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-d52fcbe01d has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-d52fcbe01d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d52fcbe01d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-d52fcbe01d has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-1177983024 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.