Project

General

Profile

Actions
Copy link

Bug #48446

closed

Container build fails with 'container_linux.go:346: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"

Added by Brad Hubbard over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

https://jenkins.ceph.com/job/ceph-dev-new-build/ARCH=x86_64,AVAILABLE_ARCH=x86_64,AVAILABLE_DIST=centos8,DIST=centos8,MACHINE_SIZE=gigantic/48887//consoleFull

+ make FLAVORS=wip-yuri3-testing-2020-12-02-1604-nautilus,centos,8 CEPH_DEVEL=true OSD_FLAVOR=default RELEASE=wip-yuri3-testing-2020-12-02-1604-nautilus-7d36476 TAG_REGISTRY=ceph-ci IMAGES_TO_BUILD=daemon-base build.parallel
...
STEP 14: ENV OSD_FLAVOR default
--> 8d89faaa352
STEP 15: RUN     yum install -y epel-release && yum install -y jq && bash -c '   if [ -n "" ]; then     echo "[ganesha]" > /etc/yum.repos.d/ganesha.repo ; 
...
ceph-fuse rbd-nbd     ${CRIMSON_PACKAGES} && echo 'Packages verified successfully']: time="2020-12-03T00:55:08Z" level=error msg="container_linux.go:346: starting container process caused \"error adding seccomp rule for syscall socket: requested action matches default action of filter\"" 
container_linux.go:346: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter" 
: exit status 1

This looks like it could be the issue reported here https://github.com/seccomp/containers-golang/issues/28 which may indicate we require a newer version of runc or podman itself.

Running the following command works successfully on Fedora32 (just a test, not particularly helpful).

$ make FLAVORS=wip-yuri3-testing-2020-12-02-1604-nautilus,centos,8 CEPH_DEVEL=true OSD_FLAVOR=default RELEASE=wip-yuri3-testing-2020-12-02-1604-nautilus-7d36476 TAG_REGISTRY=ceph-ci IMAGES_TO_BUILD
=daemon-base build.parallel

The same command fails with the issue in the subject line on braggi07

Actions
Copy link
 #1

Updated by Brad Hubbard over 3 years ago

This is the function in ceph-container that is responsible for installing podman.

function install_podman {
  # https://github.com/containers/libpod/issues/5306
  # https://podman.io/getting-started/installation.html
  if ${CI_CONTAINER}; then
    sudo dnf -y module disable container-tools
    sudo dnf -y install 'dnf-command(copr)'
    sudo dnf -y copr enable rhcontainerbot/container-selinux
    sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo
    # https://tracker.ceph.com/issues/44242
    # We used to provide fuse-overlayfs-0.7.6-2.0 in lab-extras but a newer version is available in the kubic repo so we'll install/update from there
    sudo dnf install -y fuse-overlayfs
  fi
  sudo dnf install -y podman podman-docker
}

So on braggi07 we end up with.

# dnf list podman runc 
Last metadata expiration check: 1:45:23 ago on Thu 03 Dec 2020 03:16:35 AM UTC.
Installed Packages
podman.x86_64                                                                            2.2.0-1.el8                                                                                                        @devel_kubic_libcontainers_stable
runc.x86_64                                                                              1.0.0-64.rc9.module_el8.1.0+272+3e64ee36                                                                           @AppStream                       
Available Packages
podman.aarch64                                                                           2.2.0-1.el8                                                                                                        devel_kubic_libcontainers_stable 
podman.src                                                                               2.2.0-1.el8                                                                                                        devel_kubic_libcontainers_stable 
runc.aarch64                                                                             2:1.0.0-145.rc91.git24a3cf8.el8                                                                                    devel_kubic_libcontainers_stable 
runc.src                                                                                 2:1.0.0-145.rc91.git24a3cf8.el8                                                                                    devel_kubic_libcontainers_stable 
runc.x86_64                                                                              2:1.0.0-145.rc91.git24a3cf8.el8                                                                                    devel_kubic_libcontainers_stable

Looks like we have a definite mismatch between runc and podman packages.

Actions
Copy link
 #2

Updated by Brad Hubbard over 3 years ago

I upgrade runc and this works (the build completes) but it's not clear we want to leave it this way.

# dnf list podman runc 
Last metadata expiration check: 1:52:03 ago on Thu 03 Dec 2020 03:16:35 AM UTC.
Installed Packages
podman.x86_64                                                                                2.2.0-1.el8                                                                                                    @devel_kubic_libcontainers_stable
runc.x86_64                                                                                  2:1.0.0-145.rc91.git24a3cf8.el8                                                                                @devel_kubic_libcontainers_stable
Available Packages
podman.aarch64                                                                               2.2.0-1.el8                                                                                                    devel_kubic_libcontainers_stable 
podman.src                                                                                   2.2.0-1.el8                                                                                                    devel_kubic_libcontainers_stable 
runc.aarch64                                                                                 2:1.0.0-145.rc91.git24a3cf8.el8                                                                                devel_kubic_libcontainers_stable 
runc.src                                                                                     2:1.0.0-145.rc91.git24a3cf8.el8                                                                                devel_kubic_libcontainers_stable

It could be argued this is a ceph-containers issue as it plays kind of fast and loose with the repos it uses?

I guess the other build hosts would need to be set up to match braggi07 for them to also work (I don't know which machines they are?).

Sorry if I exceeded what's permissible by upgrading this package but it should be easy enough to downgrade and it was the definitive test for my theory this was a runc/podman compatibility issue.

Actions
Copy link
 #3

Updated by Brad Hubbard over 3 years ago

  • Subject changed from Contatiner build fails with 'container_linux.go:346: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter" to Container build fails with 'container_linux.go:346: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
Actions
Copy link
 #4

Updated by David Galloway over 2 years ago

Is this bug still happening?

Actions
Copy link
 #5

Updated by Brad Hubbard over 2 years ago

  • Status changed from New to Closed

Doesn't appear so. Let's close it for now.

Actions
Copy link

Also available in: Atom PDF