1961206 – Backport runc fix for faccessat2 handling

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1961206 - Backport runc fix for faccessat2 handling

Summary: Backport runc fix for faccessat2 handling

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jindrich Novy
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1962080 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-17 13:50 UTC by Tim Waugh
Modified:	2023-09-15 01:06 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-27 02:39:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 7 Jindrich Novy 2021-05-19 15:20:02 UTC

*** Bug 1962080 has been marked as a duplicate of this bug. ***

Comment 9 Kir Kolyshkin 2021-05-27 02:39:10 UTC

The workaround is to use the scratch build available from comment #8 above (make sure to download it, as it goes away after some time.

The solution is to switch to OCP4.

The backport is very hard to do (I spent a few hours trying and got nowhere).

As the workaround is available, and it's impossible to have a backport, closing as WONTFIX.

Comment 10 Tim Waugh 2021-05-27 09:23:41 UTC

Thanks.

Comment 11 Vratislav Podzimek 2021-06-25 12:15:27 UTC

> The workaround is to use the scratch build available from comment #8 above (make sure to download it, as it goes away after some time.

Could you please share the workaround publicly? I cannot see comment #8 (marked as private, I guess).

> The solution is to switch to OCP4.

Please keep in mind people are using containers on RHEL 7 without OCP or even k8s.

Comment 12 Colin Walters 2021-06-25 13:19:42 UTC

> Could you please share the workaround publicly? 

The suggested workaround is to disable docker seccomp.

Isn't docker seccomp configurable without patching it?  I think the config file is in `/etc`.

Comment 13 Kir Kolyshkin 2021-06-25 23:26:37 UTC

> Could you please share the workaround publicly? I cannot see comment #8 (marked as private, I guess).

It was an internal build of the same docker version with seccomp support disabled.

In your case, I think, the best way is to either self-compile a fixed runc version
(1.0.0 is recommended, although you can use 1.0.0-rc93 or any later version), or
use a prebuilt static binary from https://github.com/opencontainers/runc/releases
(look for runc.amd64 file under "Assets"; again, version 1.0.0 is recommended),
AND making sure docker is using your version of runc.

Comment 14 Vratislav Podzimek 2021-07-14 08:39:58 UTC

Please keep in mind this affects not only docker but also podman and buildah. But do I understand it correctly that they all use runc these days and so newer runc will just fix the issue for all of them? Will it be compatible with the older versions of the tools?

Comment 15 Tom Sweeney 2021-07-14 12:56:31 UTC

Upgrading runc for the version of Docker on RHEL 7 was not possible.  Unless Kir corrects me, that's the only tool that can not handle the updated runc that has been put into play that contains the fix.  The newer runc does fix the issue in other projects.

Comment 16 Red Hat Bugzilla 2023-09-15 01:06:43 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.