Description of problem: I used oci-seccomp-bpf-hook without root (podman run [...] --annotation io.containers.trace-syscall=of:/tmp/seccomp-custom.json [...]). It then gave me the cryptic error "Error: OCI runtime error: crun: error executing hook `/usr/libexec/oci/hooks.d/oci-seccomp-bpf-hook` (exit code: 1)" and crashed. I know, that it does not work without administrative permission, but the error handling could be improved. It should not crash with insufficient permission, but this should be handled "gracefully" and the error message should perhaps include something that would indicate, what the error could be, e.g. that it has some permissions problems. Version-Release number of selected component: oci-seccomp-bpf-hook-1.2.9-1.fc38 Additional info: reporter: libreport-2.17.10 type: CCpp reason: oci-seccomp-bpf-hook killed by SIGABRT journald_cursor: s=9a7a550263b44ce2aae567ae74362384;i=1de052;b=633cd69c786741e2b385c6d8365fddf7;m=56f3e723b;t=5ff48c544934e;x=3805e3d70f08887 executable: /usr/libexec/oci/hooks.d/oci-seccomp-bpf-hook cmdline: oci-seccomp-bpf-hook -r 54024 -o /tmp/seccomp-custom.json -i cgroup: 0::/user.slice/user-1000.slice/user/user.slice/libpod-conmon-10893be2bbe297589572c3d765953536d4c86aa67c45f9d3e214961ae3ddbfe5.scope rootdir: / uid: 1000 kernel: 6.3.8-200.fc38.x86_64 package: oci-seccomp-bpf-hook-1.2.9-1.fc38 runlevel: N 5 backtrace_rating: 4 crash_function: runtime.raise Truncated backtrace: Thread no. 1 (22 frames) #0 runtime.raise at /usr/lib/golang/src/runtime/sys_linux_amd64.s:154 #1 runtime.dieFromSignal at /usr/lib/golang/src/runtime/signal_unix.go:879 #2 runtime.sigfwdgo at /usr/lib/golang/src/runtime/signal_unix.go:1092 #3 runtime.sigtrampgo at /usr/lib/golang/src/runtime/signal_unix.go:432 #4 runtime.sigtramp at /usr/lib/golang/src/runtime/sys_linux_amd64.s:354 #6 runtime.raise at /usr/lib/golang/src/runtime/sys_linux_amd64.s:154 #7 runtime.dieFromSignal at /usr/lib/golang/src/runtime/signal_unix.go:879 #8 runtime.crash at /usr/lib/golang/src/runtime/signal_unix.go:971 #9 runtime.fatalpanic at /usr/lib/golang/src/runtime/panic.go:1168 #10 runtime.gopanic at /usr/lib/golang/src/runtime/panic.go:987 #11 runtime.panicmem at /usr/lib/golang/src/runtime/panic.go:260 #12 runtime.sigpanic at /usr/lib/golang/src/runtime/signal_unix.go:837 #13 github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc.(*Module).Close.func1 at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc/module.go:155 #14 github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc.(*Module).Close at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc/module.go:155 #15 main.runBPFSource.func3 at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/oci-seccomp-bpf-hook.go:223 #16 runtime.gopanic at /usr/lib/golang/src/runtime/panic.go:890 #17 runtime.panicmem at /usr/lib/golang/src/runtime/panic.go:260 #18 runtime.sigpanic at /usr/lib/golang/src/runtime/signal_unix.go:837 #19 github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc.(*Module).Load at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc/module.go:224 #20 github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc.(*Module).LoadTracepoint at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/vendor/github.com/iovisor/gobpf/bcc/module.go:205 #21 main.runBPFSource at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/oci-seccomp-bpf-hook.go:226 #22 main.main at /usr/src/debug/oci-seccomp-bpf-hook-1.2.9-1.fc38.x86_64/_build/src/github.com/containers/oci-seccomp-bpf-hook/oci-seccomp-bpf-hook.go:84
Created attachment 1973238 [details] File: proc_pid_status
Created attachment 1973239 [details] File: maps
Created attachment 1973240 [details] File: limits
Created attachment 1973241 [details] File: open_fds
Created attachment 1973242 [details] File: mountinfo
Created attachment 1973243 [details] File: os_info
Created attachment 1973244 [details] File: cpuinfo
Created attachment 1973245 [details] File: core_backtrace
Created attachment 1973246 [details] File: dso_list
Created attachment 1973247 [details] File: backtrace
Created attachment 1973248 [details] File: environ
@vrothber I think you're the right assignee for this one.
Thanks for the ping, Lokesh. I just cut a new release: https://github.com/containers/oci-seccomp-bpf-hook/releases/tag/v1.2.10
FEDORA-2023-b5e4faa25d has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5e4faa25d
FEDORA-2023-af4175e2f6 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-af4175e2f6
FEDORA-2023-f81f315bef has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f81f315bef
FEDORA-2023-b5e4faa25d has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b5e4faa25d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5e4faa25d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-af4175e2f6 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-af4175e2f6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-af4175e2f6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-f81f315bef has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f81f315bef` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f81f315bef See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
thank you! It does not crash anymore, but it only prints "Error: OCI runtime error: crun: error executing hook `/usr/libexec/oci/hooks.d/oci-seccomp-bpf-hook` (exit code: 1)". I saw that in https://github.com/containers/oci-seccomp-bpf-hook/pull/121/commits/9ca3f9f7b5d67a7208f07b9f7e456268ae6d634b#diff-54c511f7058b24c50b8b82124335c316c9f83b4c4798200d41a7eb27444acec3R61 there was a better error message added. Where should that show up?
The new error from the hook will show up in the syslog/journal. The one you're seeing is outside of the hook's control. @Giuseppe: Could crun include stdout/stderr of the hook when it exits non-zero?
Ah, yes. In journalctl I can indeed see the message.
FEDORA-2023-af4175e2f6 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-f81f315bef has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-b5e4faa25d has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days