2011523 – moby-engine: docker build fails, seccomp doesn't allow clone3

Bug 2011523 - moby-engine: docker build fails, seccomp doesn't allow clone3

Summary: moby-engine: docker build fails, seccomp doesn't allow clone3

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	moby-engine
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Olivier Lemasle
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-06 18:08 UTC by Marc Dionne
Modified:	2021-10-29 23:03 UTC (History)
CC List:	2 users (show)
Fixed In Version:	moby-engine-20.10.9-1.fc36 moby-engine-20.10.9-1.fc34 moby-engine-20.10.9-1.fc35
Clone Of:
Environment:
Last Closed:	2021-10-10 22:30:12 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Marc Dionne 2021-10-06 18:08:24 UTC

Description of problem:

docker build fails, and containers started with docker run fail to fork child processes.  Both are probably caused by the use of the clone3 syscall from the container being blocked by the seccomp mechanism.

Upstream moby (looking at https://github.com/moby/moby) has added bits to allow clone3, that I don't see in the moby-engine package in fedora 35.  So it may just be a matter of updating to a more recent version of upstream.

This is similar and related to a few other bugs (1990469, 1992708), but in this case both the host and container image are fedora 35.

When using "docker run", this can be worked around by either running unconfined (seccomp=unconfined), or by using a custom profile, such as the one that's provided by containers-common (/usr/share/containers/seccomp.json) which allows clone3.  But I'm not sure how this can be worked around when using "docker build".


Version-Release number of selected component (if applicable):

moby-engine-20.10.8-1.fc35.x86_64


How reproducible:

Consistently reproduces.


Steps to Reproduce:

1. Have a DockerFile with contents like:

FROM	fedora:35
RUN dnf install -y perl perl-Test-Simple gcc krb5-devel make fuse fuse-devel gdb

2. Try to build and tag an image:

docker build . --tag=fs

Actual results:

Sending build context to Docker daemon  61.44kB
Step 1/2 : FROM	fedora:35
 ---> 2b7eaa324f9f
Step 2/2 : RUN dnf install -y perl perl-Test-Simple gcc krb5-devel make fuse fuse-devel gdb
 ---> Running in 6bcc7d4c7478
Fedora 35 - x86_64                              0.0  B/s |   0  B     00:00    
Errors during downloading metadata for repository 'fedora':
  - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-35&arch=x86_64&countme=1 [getaddrinfo() thread failed to start]
  - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-35&arch=x86_64 [getaddrinfo() thread failed to start]
Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-35&arch=x86_64 [getaddrinfo() thread failed to start]
The command '/bin/sh -c dnf install -y perl perl-Test-Simple gcc krb5-devel make fuse fuse-devel gdb' returned a non-zero code: 1


Expected results:

New image is built and tagged.

Additional info:

Comment 1 Maxwell G 2021-10-10 16:21:07 UTC

Hi everyone,

Please see related issue https://bugzilla.redhat.com/show_bug.cgi?id=1988199.

I created a PR in the `moby-engine` repository that updates the specfile to the the latest version of `moby/moby` and `docker/cli` and adds a patch from upstream to fix the issue. Here is a link: https://src.fedoraproject.org/rpms/moby-engine/pull-request/9

Thanks,
Maxwell

Comment 2 Fedora Update System 2021-10-10 22:29:22 UTC

FEDORA-2021-d564cbbb82 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2021-d564cbbb82

Comment 3 Fedora Update System 2021-10-10 22:30:12 UTC

FEDORA-2021-d564cbbb82 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2021-10-10 23:09:18 UTC

FEDORA-2021-b5a9a481a2 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b5a9a481a2

Comment 5 Fedora Update System 2021-10-10 23:11:17 UTC

FEDORA-2021-df975338d4 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-df975338d4

Comment 6 Fedora Update System 2021-10-11 17:16:52 UTC

FEDORA-2021-b5a9a481a2 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b5a9a481a2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b5a9a481a2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2021-10-11 21:24:52 UTC

FEDORA-2021-df975338d4 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-df975338d4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-df975338d4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2021-10-19 00:36:47 UTC

FEDORA-2021-df975338d4 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2021-10-29 23:03:00 UTC

FEDORA-2021-b5a9a481a2 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.