[Bug 1152773] New: seccomp error if running containers with podman on armv7
http://bugzilla.suse.com/show_bug.cgi?id=1152773 Bug ID: 1152773 Summary: seccomp error if running containers with podman on armv7 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Containers Assignee: containers-bugowner@suse.de Reporter: kukuk@suse.com QA Contact: qa-bugs@suse.de CC: rbrown@suse.com Found By: --- Blocker: --- Calling "podman run --rm -it registry.opensuse.org/opensuse/busybox" on a Raspberry Pi2 stops with the following error: Error: container_linux.go:345: starting container process caused "error loading seccomp filter into kernel: invalid argument": OCI runtime error -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1152773 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |guillaume.gardet@arm.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1152773 http://bugzilla.suse.com/show_bug.cgi?id=1152773#c1 --- Comment #1 from Guillaume GARDET <guillaume.gardet@arm.com> --- armv7 has no seccomp filter since HAVE_ARCH_SECCOMP_FILTER is not selected by armv7. Only arm64 selects HAVE_ARCH_SECCOMP_FILTER. In 2012 some patches were sent to add this support to armv7, but never ended in the kernel: http://lkml.iu.edu/hypermail/linux/kernel/1210.3/03963.html -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1152773 https://bugzilla.suse.com/show_bug.cgi?id=1152773#c4 Fabian Vogt <fvogt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fvogt@suse.com Component|Containers |Kernel Assignee|containers-bugowner@suse.de |kernel-bugs@opensuse.org --- Comment #4 from Fabian Vogt <fvogt@suse.com> --- (In reply to Guillaume GARDET from comment #3)
(In reply to Guillaume GARDET from comment #1)
armv7 has no seccomp filter since HAVE_ARCH_SECCOMP_FILTER is not selected by armv7. Only arm64 selects HAVE_ARCH_SECCOMP_FILTER.
In 2012 some patches were sent to add this support to armv7, but never ended in the kernel: http://lkml.iu.edu/hypermail/linux/kernel/1210.3/03963.html
CONFIG_HAVE_ARCH_SECCOMP_FILTER is enabled since https://github.com/openSUSE/kernel-source/commit/ e9e55d07c18023edb983e14bacdc2ff2542671c7
So, it should be fine now, but it is still broken.
It might work using kernel-default meanwhile, but kernel-lpae (and kernel-obs-build, same binary) are missing: CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y Reassigning to kernel. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1152773 https://bugzilla.suse.com/show_bug.cgi?id=1152773#c5 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tiwai@suse.com --- Comment #5 from Takashi Iwai <tiwai@suse.com> --- SECCOMP_FILTER is available only when CONFIG_OABI_COMPAT=n. It's explicitly limited via commit 9170217510cd280c704966738e7c1660c8fa5cbd ARM: 7888/1: seccomp: not compatible with ARM OABI And kernel-lpae defines this, so CONFIG_SECCOMP_FILTER isn't available there. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1152773 https://bugzilla.suse.com/show_bug.cgi?id=1152773#c6 --- Comment #6 from Fabian Vogt <fvogt@suse.com> --- (In reply to Takashi Iwai from comment #5)
SECCOMP_FILTER is available only when CONFIG_OABI_COMPAT=n. It's explicitly limited via commit 9170217510cd280c704966738e7c1660c8fa5cbd ARM: 7888/1: seccomp: not compatible with ARM OABI
And kernel-lpae defines this, so CONFIG_SECCOMP_FILTER isn't available there.
Sounds like that should be changed. For default it was part of your commit: Update config files: disable CONFIG_OABI_COMPAT for 32bit Arm (bsc#1165462) That didn't touch lpae though, it's out of sync. I don't think much of the diff between default and lpae is intentional, maybe it should be rebased on default again. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1152773 https://bugzilla.suse.com/show_bug.cgi?id=1152773#c7 --- Comment #7 from Takashi Iwai <tiwai@suse.com> --- A good point, it must be an oversight, then. I'm going to push the correction. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1152773 https://bugzilla.suse.com/show_bug.cgi?id=1152773#c8 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #8 from Takashi Iwai <tiwai@suse.com> --- The fix got merged to master and stable branches. -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com