Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1927635

Summary: Please update libseccomp to 2.5.0 or make the older version understand the new syscalls
Product: Red Hat Enterprise Linux 8 Reporter: Jindrich Novy <jnovy>
Component: libseccompAssignee: Zoltan Fridrich <zfridric>
Status: CLOSED ERRATA QA Contact: Martin Zelený <mzeleny>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.4CC: ajia, anowak, cevich, dapospis, leiwang, lvrabec, mzeleny, rmanes, rsroka
Target Milestone: rcKeywords: AutoVerified, Rebase, Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libseccomp-2.5.1-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:10:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jindrich Novy 2021-02-11 08:20:06 UTC
Description of problem:
The libseccomp is 2.4.3-1 both on newest RHEL-8.3 and RHEL-8.4, and 
the fuse-overlayfs is 1.3.0-2 inside the buildah-container-8.3-22,
this bug hasn't been fixed yet.

[root@kvm-07-guest35 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)

[root@kvm-07-guest35 ~]# rpm -q libseccomp podman runc
libseccomp-2.4.3-1.el8.x86_64
podman-2.2.1-7.module+el8.3.1+9857+68fb1526.x86_64
runc-1.0.0-70.rc92.module+el8.3.1+9857+68fb1526.x86_64

[root@kvm-07-guest35 ~]# podman pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22
Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22...
Getting image source signatures
Copying blob 6b536614e8f8 done
Copying blob fdb393d8227c done
Copying blob 7bd57215fc95 done
Copying config 2ac1d7d21c done
Writing manifest to image destination
Storing signatures
2ac1d7d21cb497085a0e937d11e2dba35c885a57a9f20889bbc65c1126dbc2ac
[root@kvm-07-guest35 ~]# podman run --name rhel8-buildah --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22 /bin/bash
[root@aec63aecb7a1 /]# rpm -q buildah fuse-overlayfs containers-common
buildah-1.16.7-4.module+el8.3.1+9857+68fb1526.x86_64
fuse-overlayfs-1.3.0-2.module+el8.3.1+9857+68fb1526.x86_64
containers-common-1.2.0-9.module+el8.3.1+9857+68fb1526.x86_64
[root@aec63aecb7a1 /]# buildah info|grep -iA4 graphoption
        "GraphOptions": [
            "overlay.imagestore=/var/lib/shared",
            "overlay.mount_program=/usr/bin/fuse-overlayfs",
            "overlay.mountopt=nodev,metacopy=on"
        ],
[root@aec63aecb7a1 /]# buildah from registry.access.redhat.com/ubi8
Getting image source signatures
Copying blob cca21acb641a done
Copying blob d9e72d058dc5 done
Copying config 3269c37eae done
Writing manifest to image destination
Storing signatures
ubi8-working-container
[root@aec63aecb7a1 /]# buildah run --isolation=chroot ubi8-working-container ls /
error running subprocess: error bind mounting /dev from host into mount namespace: mkdir /var/tmp/buildah396083642/mnt/rootfs/dev: operation not permitted
                                                                                                                                                          exit status 1
ERRO exit status 1


[root@kvm-07-guest32 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.4 Beta (Ootpa)
[root@kvm-07-guest32 ~]# rpm -q libseccomp podman runc
libseccomp-2.4.3-1.el8.x86_64
podman-3.0.0-0.38rc2.module+el8.4.0+9804+5385893b.x86_64
runc-1.0.0-70.rc92.module+el8.4.0+9804+5385893b.x86_64

[root@kvm-07-guest32 ~]# podman pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22
Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22...
Getting image source signatures
Copying blob 6b536614e8f8 done
Copying blob fdb393d8227c done
Copying blob 7bd57215fc95 done
Copying config 2ac1d7d21c done
Writing manifest to image destination
Storing signatures
2ac1d7d21cb497085a0e937d11e2dba35c885a57a9f20889bbc65c1126dbc2ac
[root@kvm-07-guest32 ~]# podman run --name rhel8-buildah --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22 /bin/bash
[root@fc429e519662 /]# rpm -q buildah fuse-overlayfs containers-common
buildah-1.16.7-4.module+el8.3.1+9857+68fb1526.x86_64
fuse-overlayfs-1.3.0-2.module+el8.3.1+9857+68fb1526.x86_64
containers-common-1.2.0-9.module+el8.3.1+9857+68fb1526.x86_64
[root@fc429e519662 /]# buildah info|grep -iA4 graphoption
        "GraphOptions": [
            "overlay.imagestore=/var/lib/shared",
            "overlay.mount_program=/usr/bin/fuse-overlayfs",
            "overlay.mountopt=nodev,metacopy=on"
        ],
[root@fc429e519662 /]# buildah from registry.access.redhat.com/ubi8
Getting image source signatures
Copying blob cca21acb641a done
Copying blob d9e72d058dc5 done
Copying config 3269c37eae done
Writing manifest to image destination
Storing signatures
ubi8-working-container
[root@fc429e519662 /]# buildah run --isolation=chroot ubi8-working-container ls /
error running subprocess: error bind mounting /dev from host into mount namespace: mkdir /var/tmp/buildah955304116/mnt/rootfs/dev: operation not permitted
                                                                                                                                                          exit status 1
ERRO exit status 1

Reply from Giuseppe Scrivano:

The issue seems to be an old libseccomp that doesn't know about these
new syscalls.

I've installed libseccomp-2.5.O (from RHEL 9 builds) on the machine and
now the container works fine.

We need libseccomp-2.5.0 as the version on RHEL 8 misses the definition
for openat2 as well as some other ones, so they are ignored even if
defined in the seccomp.json profile.

Version-Release number of selected component (if applicable):
libseccomp-2.4.x

How reproducible:
always

Steps to Reproduce:
as noted above and in bug #1921863

Actual results:
fails

Expected results:
runs

Comment 13 Chris Evich 2021-02-23 15:13:26 UTC
I'm reproducing this issue (according to gscrivan) on Centos 8 (glibc-2.28-127.el8, libseccomp-2.4.3-1.el8, podman-2.0.5-5.module_el8.3.0+512+b3b58dca) when running an interactive Fedora 34 (beta) shell.  The problem does not reproduce from a non-interactive shell, or using a Fedora 33 container.

[root@cevich]# podman run -it --rm fedora:34 test -r /root/anaconda-ks.cfg; echo $?
0
[root@cevich]# podman run -it --rm fedora:34
[root@b07faa651016 /]# ls -la /root/anaconda-ks.cfg
-rw-------. 1 root root 3453 Feb 17 09:55 /root/anaconda-ks.cfg
[root@b07faa651016 /]# test -r /root/anaconda-ks.cfg
[root@b07faa651016 /]# echo $?
1
[root@b07faa651016 /]# rpm -q glibc
glibc-2.32.9000-29.fc34.x86_64
[root@b07faa651016 /]# exit
exit
[root@cevich]# podman run -it --rm fedora:33 test -r /root/anaconda-ks.cfg; echo $?
0
[root@cevich]# podman run -it --rm fedora:33
[root@10c8edfb69cc /]# ls -la /root/anaconda-ks.cfg
-rw-------. 1 root root 3664 Feb 17 07:48 /root/anaconda-ks.cfg
[root@10c8edfb69cc /]# test -r /root/anaconda-ks.cfg
[root@10c8edfb69cc /]# echo $?
0

Comment 15 errata-xmlrpc 2021-05-18 15:10:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libseccomp bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1729