Bug #48446
closedContainer build fails with 'container_linux.go:346: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
0%
Description
+ make FLAVORS=wip-yuri3-testing-2020-12-02-1604-nautilus,centos,8 CEPH_DEVEL=true OSD_FLAVOR=default RELEASE=wip-yuri3-testing-2020-12-02-1604-nautilus-7d36476 TAG_REGISTRY=ceph-ci IMAGES_TO_BUILD=daemon-base build.parallel ... STEP 14: ENV OSD_FLAVOR default --> 8d89faaa352 STEP 15: RUN yum install -y epel-release && yum install -y jq && bash -c ' if [ -n "" ]; then echo "[ganesha]" > /etc/yum.repos.d/ganesha.repo ; ... ceph-fuse rbd-nbd ${CRIMSON_PACKAGES} && echo 'Packages verified successfully']: time="2020-12-03T00:55:08Z" level=error msg="container_linux.go:346: starting container process caused \"error adding seccomp rule for syscall socket: requested action matches default action of filter\"" container_linux.go:346: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter" : exit status 1
This looks like it could be the issue reported here https://github.com/seccomp/containers-golang/issues/28 which may indicate we require a newer version of runc or podman itself.
Running the following command works successfully on Fedora32 (just a test, not particularly helpful).
$ make FLAVORS=wip-yuri3-testing-2020-12-02-1604-nautilus,centos,8 CEPH_DEVEL=true OSD_FLAVOR=default RELEASE=wip-yuri3-testing-2020-12-02-1604-nautilus-7d36476 TAG_REGISTRY=ceph-ci IMAGES_TO_BUILD =daemon-base build.parallel
The same command fails with the issue in the subject line on braggi07
Updated by Brad Hubbard over 3 years ago
This is the function in ceph-container that is responsible for installing podman.
function install_podman { # https://github.com/containers/libpod/issues/5306 # https://podman.io/getting-started/installation.html if ${CI_CONTAINER}; then sudo dnf -y module disable container-tools sudo dnf -y install 'dnf-command(copr)' sudo dnf -y copr enable rhcontainerbot/container-selinux sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo # https://tracker.ceph.com/issues/44242 # We used to provide fuse-overlayfs-0.7.6-2.0 in lab-extras but a newer version is available in the kubic repo so we'll install/update from there sudo dnf install -y fuse-overlayfs fi sudo dnf install -y podman podman-docker }
So on braggi07 we end up with.
# dnf list podman runc Last metadata expiration check: 1:45:23 ago on Thu 03 Dec 2020 03:16:35 AM UTC. Installed Packages podman.x86_64 2.2.0-1.el8 @devel_kubic_libcontainers_stable runc.x86_64 1.0.0-64.rc9.module_el8.1.0+272+3e64ee36 @AppStream Available Packages podman.aarch64 2.2.0-1.el8 devel_kubic_libcontainers_stable podman.src 2.2.0-1.el8 devel_kubic_libcontainers_stable runc.aarch64 2:1.0.0-145.rc91.git24a3cf8.el8 devel_kubic_libcontainers_stable runc.src 2:1.0.0-145.rc91.git24a3cf8.el8 devel_kubic_libcontainers_stable runc.x86_64 2:1.0.0-145.rc91.git24a3cf8.el8 devel_kubic_libcontainers_stable
Looks like we have a definite mismatch between runc and podman packages.
Updated by Brad Hubbard over 3 years ago
I upgrade runc and this works (the build completes) but it's not clear we want to leave it this way.
# dnf list podman runc Last metadata expiration check: 1:52:03 ago on Thu 03 Dec 2020 03:16:35 AM UTC. Installed Packages podman.x86_64 2.2.0-1.el8 @devel_kubic_libcontainers_stable runc.x86_64 2:1.0.0-145.rc91.git24a3cf8.el8 @devel_kubic_libcontainers_stable Available Packages podman.aarch64 2.2.0-1.el8 devel_kubic_libcontainers_stable podman.src 2.2.0-1.el8 devel_kubic_libcontainers_stable runc.aarch64 2:1.0.0-145.rc91.git24a3cf8.el8 devel_kubic_libcontainers_stable runc.src 2:1.0.0-145.rc91.git24a3cf8.el8 devel_kubic_libcontainers_stable
It could be argued this is a ceph-containers issue as it plays kind of fast and loose with the repos it uses?
I guess the other build hosts would need to be set up to match braggi07 for them to also work (I don't know which machines they are?).
Sorry if I exceeded what's permissible by upgrading this package but it should be easy enough to downgrade and it was the definitive test for my theory this was a runc/podman compatibility issue.
Updated by Brad Hubbard over 3 years ago
- Subject changed from Contatiner build fails with 'container_linux.go:346: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter" to Container build fails with 'container_linux.go:346: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
Updated by Brad Hubbard over 2 years ago
- Status changed from New to Closed
Doesn't appear so. Let's close it for now.