Build will fail when docker has glibc2.34+ and glib2.72+ (close_range EPERM) #43595
Comments
The building of tests is optional [as of 2.42.9](https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/801eef111df624f4377baed9a90c94b6a2d4340c). This applies this option in the build. The reason the option was added was to deal with test build failures in sandboxed environments and with certain glibc versions (caused by glib gresources). For example, with the latest version glibc and in the latest version of docker these tests [cannot be built](moby/moby#43595).
The building of tests is optional [as of 2.42.9](https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/801eef111df624f4377baed9a90c94b6a2d4340c). This applies this option in the build. The reason the option was added was to deal with test build failures in sandboxed environments and with certain glibc versions (caused by glib gresources). For example, with the latest version glibc and in the latest version of docker these tests [cannot be built](moby/moby#43595).
The building of tests is optional [as of 2.42.9](https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/801eef111df624f4377baed9a90c94b6a2d4340c). This applies this option in the build. The reason the option was added was to deal with test build failures in sandboxed environments and with certain glibc versions (caused by glib gresources). For example, with the latest version glibc and in the latest version of docker these tests [cannot be built](moby/moby#43595).
|
Hi, @thaJeztah Can you share any plan about fixing this issue? Thanks. |
|
Do you have a minimal way to reproduce this issue (using just a plain I see these PRs updated the seccomp profile to add
The last one is part of docker 20.10.14 and up. |
|
It can be reproduced by following steps:
Seems #41971 add close_range, but don't set the default errno to ENOSYS, and EPERM is returned, after commit https://gitlab.gnome.org/GNOME/glib/-/commit/ce04a124040be091407e070280d86ca810bacb8c, glib2 will report error. Maybe we need change like More info:
|
|
libseccomp did not have support for close_range until version 2.5.2, ubuntu 20.04 (from your host) and even 22.04 only include 2.5.1. It looks like Debian backported the patch to add support for close_range to their 2.5.1 package. |
|
@cpuguy83 I checked on the docker 22.04, it seems have 2.5.3 $ docker run -i -t -v /docker/:/mnt ubuntu:22.04 /bin/bash |
|
It's the |
|
Looks like it's been updated in ubuntu 22.04.1: |
|
@Rid does it work as expected with the updated version? |
|
@thaJeztah Yes, using the reproducer: I think this can be closed. |
|
Thank you! That's always good to hear; I'll close the ticket, but feel free to continue the conversation 👍 |
|
In case someone is looking for a workaround without upgrading the |
Description
docker has glibc2.35, and build with glib2.72+, the build will fail with error:
(glib-compile-resources:19315): GLib-GObject-CRITICAL **: 08:08:56.312: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
../gdk-pixbuf-2.42.8/tests/resources.gresource.xml: Failed to close file descriptor for child process (Operation not permitted).
The reason is that, close_range treturn EPERM for docker container, .since commit [1], glib will report error, and upstream reject to accpect EPERM as return value.
This issue is a little similar like the issue we met before for clone3, and the fix is [3].
I notice that we have an RFE [4] to make Seccomp Profiles to ENOSYS Default, seems this is the solution,
since glib only will take ENOSYS as correct return.
[1] https://gitlab.gnome.org/GNOME/glib/-/commit/ce04a124040be091407e070280d86ca810bacb8c
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/2580
[3] #42681
[4] #42871
Steps to reproduce the issue:
In order to simple the reproduce steps, I just pick the usefull part
the actually failed command is:
glib-compile-resources --sourcedir=/mnt/ubuntu2204/build/tmp-glibc/work/x86_64-linux/gdk-pixbuf-native/2.42.8-r0/gdk-pixbuf-2.42.8/tests --source ../gdk-pixbuf-2.42.8/tests/resources.gresource.xml tests/resources.c
While glib-compile-resources is build from glib 2.72.1
Describe the results you received:
(glib-compile-resources:19315): GLib-GObject-CRITICAL **: 08:08:56.312: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
../gdk-pixbuf-2.42.8/tests/resources.gresource.xml: Failed to close file descriptor for child process (Operation not permitted).
Describe the results you expected:
build success
Additional information you deem important (e.g. issue happens only occasionally):
Issue not happens on docker ubuntu2104 which have glibc 2.33,
close_range is added in glibc since 2.34
Output of
docker version:Output of
docker info:The text was updated successfully, but these errors were encountered: