Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[master] rpm: disable seccomp to prevent tar EPERM (Fedora 40 ppc64le on Debian) #1013

Merged
merged 1 commit into from
Apr 12, 2024
Merged

[master] rpm: disable seccomp to prevent tar EPERM (Fedora 40 ppc64le on Debian) #1013

merged 1 commit into from
Apr 12, 2024

Conversation

thaJeztah
Copy link
Member

commit 07b5d90 disabled seccomp for the deb-builds because chmod failed tar was failing with an EPERM (Ubuntu 24.04 armhf on 20.04 host).

It looks like the same problem happens when running Fedora 40 on a Debian bookworm host on ppc64le.

That issue was confirmed to be related to fchmodat2(2), which is a new syscall that's not supported on the host, and therefore gets the seccomp's default EPERM;

fchmodat2(AT_FDCWD, "docker", 0775, AT_SYMLINK_NOFOLLOW) = -1 EPERM (Operation not permitted)
tar: docker: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: Exiting with failure status due to previous errors

Ultimately we need to update the libseccomp profile to use ENOSYS (see moby ticket 42871) to allow it to degrade gracefully;

fchmodat2(AT_FDCWD, "docker", 0775, AT_SYMLINK_NOFOLLOW) = -1 ENOSYS (Function not implemented)

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah
rpm: disable seccomp to prevent tar EPERM (Fedora 40 ppc64le on Debian)
01886f5 
commit 07b5d90 disabled seccomp for the
deb-builds because `chmod` failed tar was failing with an EPERM (Ubuntu
24.04 armhf on 20.04 host).

It looks like the same problem happens when running Fedora 40 on a Debian
bookworm host on ppc64le.

That issue was confirmed to be related to `fchmodat2(2)`, which is a new
syscall that's not supported on the host, and therefore gets the seccomp's
default EPERM;

    fchmodat2(AT_FDCWD, "docker", 0775, AT_SYMLINK_NOFOLLOW) = -1 EPERM (Operation not permitted)
    tar: docker: Cannot change mode to rwxrwxr-x: Operation not permitted
    tar: Exiting with failure status due to previous errors

Ultimately we need to update the libseccomp profile to use ENOSYS (see
moby ticket 42871) to allow it to degrade gracefully;

    fchmodat2(AT_FDCWD, "docker", 0775, AT_SYMLINK_NOFOLLOW) = -1 ENOSYS (Function not implemented)

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah self-assigned this Apr 12, 2024
@thaJeztah
Copy link
Member Author

cc @AshwinHIBM

@thaJeztah
Copy link
Member Author

Let me bring this one in, but let us know if it worked, @AshwinHIBM

@thaJeztah thaJeztah merged commit a80fc88 into docker:master Apr 12, 2024
7 checks passed
@thaJeztah thaJeztah deleted the disable_seccomp_rpm branch April 12, 2024 07:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vvoland vvoland vvoland approved these changes

@neersighted neersighted Awaiting requested review from neersighted

Assignees

@thaJeztah thaJeztah

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

/usr/bin/tar: Cannot change mode to rwxr-xr-x: Operation not permitted
2 participants
@thaJeztah @vvoland