Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

seccomp: do not fail on error from seccomp_arch_add() #219

Merged
merged 1 commit into from
Jul 13, 2020

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda
Copy link
Member Author

@giusepe @Leo-LB @twagtig PTAL (also let me know the new WARNING output result

@llebout
Copy link

llebout commented Jul 13, 2020

@AkihiroSuda How can I get an RPM to install with this new change? Is there a script?

@llebout
Copy link

llebout commented Jul 13, 2020

@AkihiroSuda
Copy link
Member Author

I don't know how to build RPM, but you can install slirp4netns from the source: https://github.com/rootless-containers/slirp4netns#install-from-source

@AkihiroSuda
Copy link
Member Author

I see this: https://github.com/containers/podman/blob/master/contrib/build_rpm.sh

This one seems for Podman, not for slirp4netns

@llebout
Copy link

llebout commented Jul 13, 2020

@AkihiroSuda I thought it bundled both but probably not you're right.

@llebout
Copy link

llebout commented Jul 13, 2020

@AkihiroSuda

Works, full log:

$ podman run --log-level debug --rm -it alpine /bin/sh
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level debug --rm -it alpine /bin/sh) 
DEBU[0000] Found deprecated file /home/jdoe/.config/containers/containers.conf, please remove. Use /home/jdoe/.config/containers/containers.conf to override defaults. 
DEBU[0000] Reading configuration file "/home/jdoe/.config/containers/libpod.conf" 
DEBU[0000] Ignoring libpod.conf EventsLogger setting "/home/jdoe/.config/containers/containers.conf". Use "journald" if you want to change this setting and remove libpod.conf files. 
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf" 
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{{[] [] containers-default-0.14.4 [] private enabled [CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] [] []  [] [] [] true [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] false false false  private k8s-file -1 slirp4netns false 2048 private /usr/share/containers/seccomp.json 65536k private host 65536} {true cgroupfs [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] [/usr/libexec/podman/conmon /usr/libexec/crio/conmon /usr/local/lib/podman/conmon /usr/local/libexec/crio/conmon /usr/bin/conmon /usr/sbin/conmon /usr/lib/podman/bin/conmon /usr/lib/crio/bin/conmon] ctrl-p,ctrl-q true /run/user/1000/libpod/tmp/events/events.log file [/usr/share/containers/oci/hooks.d] docker:// /pause k8s.gcr.io/pause:3.1 /usr/libexec/podman/catatonit shm   false 2048 /usr/bin/crun map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc]] missing false   [] [crun runc] [crun] [kata kata-runtime kata-qemu kata-fc] {false false false false false false} /etc/containers/policy.json false 3 /home/jdoe/.local/share/containers/storage/libpod 10 /run/user/1000/libpod/tmp /home/jdoe/.local/share/containers/storage/volumes} {[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] podman /etc/cni/net.d/}} 
DEBU[0000] Using conmon: "/usr/libexec/crio/conmon"     
DEBU[0000] Initializing boltdb state at /home/jdoe/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/jdoe/.local/share/containers/storage 
DEBU[0000] Using run root /tmp/1000                     
DEBU[0000] Using static dir /home/jdoe/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp      
DEBU[0000] Using volume path /home/jdoe/.local/share/containers/storage/volumes 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false 
DEBU[0000] Initializing event backend file              
DEBU[0000] using runtime "/usr/bin/runc"                
DEBU[0000] using runtime "/usr/bin/crun"                
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] using runtime "/usr/bin/crun"                
INFO[0000] Setting parallel job count to 193            
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] No hostname set; container's hostname will default to runtime default 
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json" 
DEBU[0000] Allocated lock 10 for container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] created container "a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" 
DEBU[0000] container "a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" has work directory "/home/jdoe/.local/share/containers/storage/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata" 
DEBU[0000] container "a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" has run directory "/tmp/1000/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata" 
DEBU[0000] container "a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" has CgroupParent "/libpod_parent/libpod-a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" 
DEBU[0000] Handling terminal attach                     
DEBU[0000] overlay: mount_data=lowerdir=/home/jdoe/.local/share/containers/storage/overlay/l/GCN4R5HA6G4EJ6W4HJTT4FRZZU,upperdir=/home/jdoe/.local/share/containers/storage/overlay/a8115da6167bcf186bb465f2422b8036a37c67ca7fbf67b73e859b733cd55d64/diff,workdir=/home/jdoe/.local/share/containers/storage/overlay/a8115da6167bcf186bb465f2422b8036a37c67ca7fbf67b73e859b733cd55d64/work,context="system_u:object_r:container_file_t:s0:c885,c964" 
DEBU[0000] Made network namespace at /run/user/1000/netns/cni-d9783600-a7df-16c6-6886-55cc51030443 for container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 
DEBU[0000] mounted container "a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" at "/home/jdoe/.local/share/containers/storage/overlay/a8115da6167bcf186bb465f2422b8036a37c67ca7fbf67b73e859b733cd55d64/merged" 
DEBU[0000] slirp4netns command: /usr/local/bin/slirp4netns --disable-host-loopback --mtu 65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-d9783600-a7df-16c6-6886-55cc51030443 tap0 
DEBU[0000] Created root filesystem for container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 at /home/jdoe/.local/share/containers/storage/overlay/a8115da6167bcf186bb465f2422b8036a37c67ca7fbf67b73e859b733cd55d64/merged 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode secret 
DEBU[0000] Setting CGroup path for container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 to /libpod_parent/libpod-a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d 
DEBU[0000] Created OCI spec for container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 at /home/jdoe/.local/share/containers/storage/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata/config.json 
DEBU[0000] /usr/libexec/crio/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /usr/libexec/crio/conmon      args="[--api-version 1 -c a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 -u a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 -r /usr/bin/crun -b /home/jdoe/.local/share/containers/storage/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata -p /tmp/1000/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata/pidfile -n serene_hellman --exit-dir /run/user/1000/libpod/tmp/exits --socket-dir-path /run/user/1000/libpod/tmp/socket -l k8s-file:/home/jdoe/.local/share/containers/storage/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata/ctr.log --log-level debug --syslog -t --conmon-pidfile /tmp/1000/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/jdoe/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /tmp/1000 --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /run/user/1000/libpod/tmp --exit-command-arg --runtime --exit-command-arg /usr/bin/crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --storage-opt --exit-command-arg overlay.mount_program=/usr/bin/fuse-overlayfs --exit-command-arg --storage-opt --exit-command-arg overlay.mount_program=/usr/bin/fuse-overlayfs --exit-command-arg --events-backend --exit-command-arg file --exit-command-arg --syslog --exit-command-arg true --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749]"
DEBU[0000] Received: 97118                              
INFO[0000] Got Conmon PID as 97114                      
DEBU[0000] Created container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 in OCI runtime 
DEBU[0000] Attaching to container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 
DEBU[0000] connecting to socket /run/user/1000/libpod/tmp/socket/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/attach 
DEBU[0000] Received a resize event: {Width:141 Height:43} 
DEBU[0000] Starting container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 with command [/bin/sh] 
DEBU[0000] Started container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 
/ #

If I run: sudo make uninstall and execute the same command:

$ podman run --log-level debug --rm -it alpine /bin/sh
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level debug --rm -it alpine /bin/sh) 
DEBU[0000] Found deprecated file /home/jdoe/.config/containers/containers.conf, please remove. Use /home/jdoe/.config/containers/containers.conf to override defaults. 
DEBU[0000] Reading configuration file "/home/jdoe/.config/containers/libpod.conf" 
DEBU[0000] Ignoring libpod.conf EventsLogger setting "/home/jdoe/.config/containers/containers.conf". Use "journald" if you want to change this setting and remove libpod.conf files. 
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf" 
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{{[] [] containers-default-0.14.4 [] private enabled [CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] [] []  [] [] [] true [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] false false false  private k8s-file -1 slirp4netns false 2048 private /usr/share/containers/seccomp.json 65536k private host 65536} {true cgroupfs [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] [/usr/libexec/podman/conmon /usr/libexec/crio/conmon /usr/local/lib/podman/conmon /usr/local/libexec/crio/conmon /usr/bin/conmon /usr/sbin/conmon /usr/lib/podman/bin/conmon /usr/lib/crio/bin/conmon] ctrl-p,ctrl-q true /run/user/1000/libpod/tmp/events/events.log file [/usr/share/containers/oci/hooks.d] docker:// /pause k8s.gcr.io/pause:3.1 /usr/libexec/podman/catatonit shm   false 2048 /usr/bin/crun map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc]] missing false   [] [crun runc] [crun] [kata kata-runtime kata-qemu kata-fc] {false false false false false false} /etc/containers/policy.json false 3 /home/jdoe/.local/share/containers/storage/libpod 10 /run/user/1000/libpod/tmp /home/jdoe/.local/share/containers/storage/volumes} {[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] podman /etc/cni/net.d/}} 
DEBU[0000] Using conmon: "/usr/libexec/crio/conmon"     
DEBU[0000] Initializing boltdb state at /home/jdoe/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/jdoe/.local/share/containers/storage 
DEBU[0000] Using run root /tmp/1000                     
DEBU[0000] Using static dir /home/jdoe/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp      
DEBU[0000] Using volume path /home/jdoe/.local/share/containers/storage/volumes 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false 
DEBU[0000] Initializing event backend file              
DEBU[0000] using runtime "/usr/bin/runc"                
DEBU[0000] using runtime "/usr/bin/crun"                
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] using runtime "/usr/bin/crun"                
INFO[0000] Setting parallel job count to 193            
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] No hostname set; container's hostname will default to runtime default 
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json" 
DEBU[0000] Allocated lock 10 for container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] created container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" 
DEBU[0000] container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" has work directory "/home/jdoe/.local/share/containers/storage/overlay-containers/41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf/userdata" 
DEBU[0000] container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" has run directory "/tmp/1000/overlay-containers/41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf/userdata" 
DEBU[0000] container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" has CgroupParent "/libpod_parent/libpod-41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" 
DEBU[0000] Handling terminal attach                     
DEBU[0000] overlay: mount_data=lowerdir=/home/jdoe/.local/share/containers/storage/overlay/l/GCN4R5HA6G4EJ6W4HJTT4FRZZU,upperdir=/home/jdoe/.local/share/containers/storage/overlay/de40db8e7707a061afc6230637d3af25cdd27098c47ebcf94540ffb79a4ab7a2/diff,workdir=/home/jdoe/.local/share/containers/storage/overlay/de40db8e7707a061afc6230637d3af25cdd27098c47ebcf94540ffb79a4ab7a2/work,context="system_u:object_r:container_file_t:s0:c152,c229" 
DEBU[0000] Made network namespace at /run/user/1000/netns/cni-e0547698-04cd-86c8-c8dc-f8fe8c7e14cf for container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0000] mounted container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" at "/home/jdoe/.local/share/containers/storage/overlay/de40db8e7707a061afc6230637d3af25cdd27098c47ebcf94540ffb79a4ab7a2/merged" 
DEBU[0000] slirp4netns command: /usr/bin/slirp4netns --disable-host-loopback --mtu 65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-e0547698-04cd-86c8-c8dc-f8fe8c7e14cf tap0 
DEBU[0001] Created root filesystem for container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf at /home/jdoe/.local/share/containers/storage/overlay/de40db8e7707a061afc6230637d3af25cdd27098c47ebcf94540ffb79a4ab7a2/merged 
DEBU[0001] unmounted container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" 
DEBU[0001] Tearing down network namespace at /run/user/1000/netns/cni-e0547698-04cd-86c8-c8dc-f8fe8c7e14cf for container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0001] Cleaning up container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0001] Network is already cleaned up, skipping...   
DEBU[0001] Container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf storage is already unmounted, skipping... 
DEBU[0001] Removing container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0001] Removing all exec sessions for container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0001] Cleaning up container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0001] Network is already cleaned up, skipping...   
DEBU[0001] Container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf storage is already unmounted, skipping... 
DEBU[0001] Container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf storage is already unmounted, skipping... 
DEBU[0001] ExitCode msg: "/usr/bin/slirp4netns failed: \"sent tapfd=7 for tap0\\nwarning: support for seccomp is experimental\\nreceived tapfd=7\\nseccomp: can't add extra arch (i=0)\\nenable_seccomp failed\\ndo_slirp is exiting\\ndo_slirp failed\\nparent failed\\nwarning: support for seccomp is experimental\\nstarting slirp\\n* mtu:             65520\\n* network:         10.0.2.0\\n* netmask:         255.255.255.0\\n* gateway:         10.0.2.2\\n* dns:             10.0.2.3\\n* recommended ip:  10.0.2.100\\n\"" 
Error: /usr/bin/slirp4netns failed: "sent tapfd=7 for tap0\nWARNING: Support for seccomp is experimental\nreceived tapfd=7\nseccomp: can't add extra arch (i=0)\nenable_seccomp failed\ndo_slirp is exiting\ndo_slirp failed\nparent failed\nWARNING: Support for seccomp is experimental\nStarting slirp\n* MTU:             65520\n* Network:         10.0.2.0\n* Netmask:         255.255.255.0\n* Gateway:         10.0.2.2\n* DNS:             10.0.2.3\n* Recommended IP:  10.0.2.100\n"

This confirms that this PR fixes the issue.

@AkihiroSuda
Copy link
Member Author

Thanks, could you also try https://github.com/rootless-containers/slirp4netns#usage but with --enable-seccomp?

I want to know the output of the newly added strerror()

@llebout
Copy link

llebout commented Jul 13, 2020

@AkihiroSuda

$ slirp4netns --configure --mtu=65520 --enable-seccomp --disable-host-loopback $(cat /tmp/pid) tap0
WARNING: Support for seccomp is experimental
sent tapfd=5 for tap0
received tapfd=5
Starting slirp
* MTU:             65520
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* Recommended IP:  10.0.2.100
seccomp: WARNING: can't add extra arch (i=0): Success
seccomp: The following syscalls will be blocked by seccomp: execve execveat open_by_handle_at ptrace prctl process_vm_readv process_vm_writev mount name_to_handle_at setns umount umount2 unshare.

And network access works in the namespace

@AkihiroSuda
Copy link
Member Author

Thank, but the Success error is weird 🤔

@AkihiroSuda
Copy link
Member Author

Sorry please try this

diff --git a/seccompfilter.c b/seccompfilter.c
index 3de6b95..edd3cfb 100644
--- a/seccompfilter.c
+++ b/seccompfilter.c
@@ -20,7 +20,7 @@ int enable_seccomp()
         if (rc < 0 && rc != -EEXIST) {
             fprintf(stderr,
                     "seccomp: WARNING: can't add extra arch (i=%d): %s\n", i,
-                    strerror(errno));
+                    strerror(-rc));
         }
     }
     printf("seccomp: The following syscalls will be blocked by seccomp:");

@llebout
Copy link

llebout commented Jul 13, 2020

@AkihiroSuda

$ slirp4netns --configure --mtu=65520 --enable-seccomp --disable-host-loopback $(cat /tmp/pid) tap0
WARNING: Support for seccomp is experimental
sent tapfd=5 for tap0
received tapfd=5
Starting slirp
* MTU:             65520
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* Recommended IP:  10.0.2.100
seccomp: WARNING: can't add extra arch (i=0): Numerical argument out of domain
seccomp: The following syscalls will be blocked by seccomp: execve execveat open_by_handle_at ptrace prctl process_vm_readv process_vm_writev mount name_to_handle_at setns umount umount2 unshare.

@AkihiroSuda
Copy link
Member Author

Thanks, never heard of this errno 👀 > Numerical argument out of domain

@llebout
Copy link

llebout commented Jul 13, 2020

@AkihiroSuda Me neither.

Copy link
Collaborator

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a typo, otherwise LGTM

seccompfilter.c Outdated Show resolved Hide resolved
Especially ignore EDOM on ppc64le

Fix containers/podman#6922

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda AkihiroSuda merged commit 0df2444 into rootless-containers:master Jul 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ppc64le: slirp4netns "seccomp: can't add extra arch (i=0)" "enable_seccomp failed"
3 participants