-
Notifications
You must be signed in to change notification settings - Fork 844
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[garden/seccomp] Unable to run 32-bit binaries in concourse containers #7471
Comments
Looks like statx isn't allowed? |
wait.. statx is allowed (and was added in 2020) @muntac However, this looks sus:
Is concourse failing to detect 32-bit? |
Muntac is off right now so don't expect a reply from him any time soon :) Could this be a bug with Fedora 34? Have you tested running 7.4.0 on Fedora 33? Would be interesting to see if the same error occurs there. From what I can tell, briefly looking at the |
As I said on the Fedora bug, it's a bug in the container environment. Fedora 34 simply uses slightly different parts of the Linux system call interface than previous versions. This comment above hints to the reason why:
Container environments need to return |
@fweimer-rh I'm a bit confused here. Isn't the EPERM error coming from the kernel ioctl and not anything concourse is doing? Unless i'm missing something, it seems that the github.com/opencontainers/runtime-spec/specs-go go module or the kernel is the cause? I'm not seeing any ENOSYS returns anywhere in the concourse code. These are all basic runc containers |
opencontainers/runtime-spec#960 this seems related. I guess the "default" in the runtime-spec go module is EPERM, and that needs adjusted to ENOSYS on "all platforms"? (or just Fedora platforms?) |
I opened opencontainers/runtime-spec#1122 about potentially changing the default in runtime-spec since it causes breakages. The alternative is I just stop using Fedora 😆 |
Thanks for making this issue @kallisti5 , it came at the perfect time! We have noticed that the latest Debian Bullseye release has also had issues due to the After some testing, we have been able to get around this by changing our container runtime to containerd.
https://concourse-ci.org/concourse-worker.html#containerd-runtime Not sure if it will also help with Fedora, but it might be worth a try. |
I love workarounds. Trying this out now. :-) |
confirming that switching from the default garden engine to containerd solves this issue! 🎆 Thanks @rcsalome ! |
Stuff like this is actually why we worked on the containerd runtime. I don't see the garden team keeping up with the recent OCI changes. They already don't support cgroupsV2 and that's been the default on Fedora for a while now and starting with Debian Bullseye as well. |
* Recent upgrade of concourse workers to bionic stemcells has fixed the issue that was causing us to run containers with escallated privileges concourse/concourse#7471 Co-authored-by: Jhonathan Aristizabal <[email protected]> Co-authored-by: Mark Stokan <[email protected]>
Summary
After upgrading to concourse 7.4.0 to from 7.2.0, and the container host to Fedora 34 from 33, unable to run 32-bit binaries in concourse
Originally reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=1998392
They mentioned an issue with seccomp.
Maybe something is missing here?
https://github.com/concourse/concourse/blob/master/worker/runtime/spec/seccomp.go
Steps to reproduce
Container host: Fedora 34, x86_64
Image:
docker.io/fedora:34
Steps to Reproduce:
echo "void main(void) {}" > test.c
gcc -m32 test.c -o test-32bit
./test-32bit
Expected results
It to work
Actual results
./test-32bit: error while loading shared libraries: libc.so.6: cannot stat shared object: Operation not permitted
Triaging info
The text was updated successfully, but these errors were encountered: