-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error building Tracee on Ubuntu 20.04.2 LTS kernel 5.4.0-73-generic #828
Comments
I found a fix to this issue by editing the |
@rafaeldtinoco thank for the analysis. I'm not sure I understood the solution (workaround you mentioned), is there a fix required on our side? |
I'm not sure why @idanr1986 's environment is failing. I'm currently using a similar kernel and docker.io packages from Ubuntu Focal (but updated to the latest) and cannot reproduce. My bet is that his environment is enforcing some kind of changed profile by default, which is causing the change of errors for syscalls wrapped by seccomp. With that said, we can create a profile: {
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"names": [
"faccessat2"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {}
}
]
} and execute docker with that profile: docker run -it --security-opt seccomp=./profile.json alpine:edge /bin/sh and we could mitigate this issue as long as we discover what syscall is being wrapped by seccomp and failing. |
@itaysk Should we do something here ? To have the build workaround (this or a polished version of this) in tracee's Makefile ?
|
For now, maybe we can change the dockerfile to point to a previous tag of alpine instead of latest to workaround this? |
Nevermind, I have just reproduced the issue:
In a recent installed without ANY updates environment. I'll isolate kernel and OS upgrades to see what mitigates the issue. Then we will have to decide whether we want the workaround in the Makefile (to cover building in outdated environments) or just document here that one using Ubuntu should apply all updates to it before building tracee. |
The FIX is to update your environment (Ubuntu Focal)
BUT, if you cannot do that, then AT LEAST upgrade runc package from It contains the mitigation for this issue. I'll bisect runc changes and see what is the specific fix. |
And the runc commit in between these 2 versions that fixed the issue is this one: seccomp: prepend -ENOSYS stub to all filters
|
@rafaeldtinoco thanks for the analysis. |
Correct IMO, it is well documented for whoever needs it. Closing this then. Thank you. |
while executing
make docker
I getmake: mkdir: Operation not permitted
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
docker build --build-arg VERSION=0 --build-arg BUILD_DATE=2021-07-19T19:12:26Z --build-arg VCS_BRANCH="" --build-arg VCS_REF="" -t tracee:latest .
Sending build context to Docker daemon 1.042MB
Step 1/23 : ARG BASE=fat
Step 2/23 : FROM golang:1.16-alpine as builder
---> 7762f5dece68
Step 3/23 : RUN apk --no-cache update && apk --no-cache add git clang llvm make gcc libc6-compat coreutils linux-headers musl-dev elfutils-dev libelf-static zlib-static
---> Using cache
---> 43f7119b67f1
Step 4/23 : WORKDIR /tracee
---> Using cache
---> 3a08e75d98b8
Step 5/23 : FROM builder as build
---> 3a08e75d98b8
Step 6/23 : ARG VERSION
---> Using cache
---> 2cf6c5026aee
Step 7/23 : COPY . /tracee
---> Using cache
---> aef8a7671824
Step 8/23 : RUN make
---> Running in feaec81d439f
make: mkdir: Operation not permitted
make: *** [Makefile:32: dist] Error 127
mkdir -p dist
The command '/bin/sh -c make' returned a non-zero code: 2
make: *** [Makefile:59: docker] Error 2
The text was updated successfully, but these errors were encountered: