[Bug 1170495] New: clock_gettime64() fails with EPERM in a docker container
http://bugzilla.suse.com/show_bug.cgi?id=1170495 Bug ID: 1170495 Summary: clock_gettime64() fails with EPERM in a docker container Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: mls@suse.com QA Contact: qa-bugs@suse.de CC: fvogt@suse.com Found By: --- Blocker: --- This is a somewhat weird bug. We got reports that container builds fail for Factory in i586 because zypper can not find packages. After some debugging we found that mkostemp() did not work correctly in libzypp, leading to libzypp being unable to refresh repositories. After some more debugging I found that this happens when the vdso vsyscall falls back to a real clock_gettime64() syscall. This syscall fails with EPERM when running in a container: clock_gettime64(CLOCK_MONOTONIC, 0xbffe46dc) = -1 EPERM (Operation not permitted) I don't see why clock_gettime64() should be restricted in any way. (It would also be interesting to know why the vdso call needs to do a syscall, but that's a different issue...) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1170495
Michael Schröder
http://bugzilla.suse.com/show_bug.cgi?id=1170495
http://bugzilla.suse.com/show_bug.cgi?id=1170495#c1
--- Comment #1 from Michael Schröder
http://bugzilla.suse.com/show_bug.cgi?id=1170495
http://bugzilla.suse.com/show_bug.cgi?id=1170495#c2
Takashi Iwai
Hmm, Fabian just wrote me that it's probably just the clock_gettime64 syscall missing from docker's seccomp profile. So this is most likely not a kernel bug.
See bug 1163766 as another example. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1170495
http://bugzilla.suse.com/show_bug.cgi?id=1170495#c3
Michal Suchanek
http://bugzilla.suse.com/show_bug.cgi?id=1170495
http://bugzilla.suse.com/show_bug.cgi?id=1170495#c4
--- Comment #4 from Michael Schröder
http://bugzilla.suse.com/show_bug.cgi?id=1170495
http://bugzilla.suse.com/show_bug.cgi?id=1170495#c5
Fabian Vogt
Note that glibc implements clock_gettime() with a clock_gettime64() call on 32bit, so this is not just some applications...
Unlike the statx case, here it's actually feasible to work around this in glibc (if desirable) by just treating EPERM like ENOSYS. Adding glibc maintainer to CC.
Anyway, the big question is why the syscall is needed at all and it's not just the vdso code reading the values from memory.
Some clocksources don't have vdso support. I see the same here with kvm-clock, but after switching to tsc vdso works again. So this is presumably expected. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1170495
http://bugzilla.suse.com/show_bug.cgi?id=1170495#c6
--- Comment #6 from Michal Suchanek
participants (1)
-
bugzilla_noreply@novell.com