From: "Dmitry V. Levin" <ldv@altlinux.org>
To: Vitaly Chikunov <vt@altlinux.org>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
linux-integrity@vger.kernel.org,
Petr Vorel <petr.vorel@gmail.com>,
Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
Subject: Re: [PATCH ima-evm-utils 2/2] upgrade to glibc-2.34 uses clone3 causing CI to fail
Date: Mon, 1 Nov 2021 09:13:30 +0300 [thread overview]
Message-ID: <20211101061330.GA15373@altlinux.org> (raw)
In-Reply-To: <20211026143054.7khp5jxcyn2fzira@altlinux.org>
Hi,
On Tue, Oct 26, 2021 at 05:30:54PM +0300, Vitaly Chikunov wrote:
> Mimi,
>
> On Mon, Oct 25, 2021 at 10:49:29PM -0400, Mimi Zohar wrote:
> > Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34,
> > causing the CI testing to fail. Disable seccomp (which is not needed
> > anyway, since GA uses throwable virtual environments anyway).
>
> JFYI. We decided to update our glibc package to fall-back from clone3 to
> clone in case it's EPERM. So, after some time (perhaps a day) this
> workaround will not be needed for ALT Linux. But this will not hurts
> either and may be beneficial in the future.
Citing myself [3]:
"you must have missed the whole discussion on this subject [1][2],
the consensus was that problematic container runtimes need to be fixed
to make their seccomp filters return ENOSYS for unknown syscalls.
[1] https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html
[2] https://lore.kernel.org/linux-api/87lfer2c0b.fsf@oldenburg2.str.redhat.com/T/#u
"
That discussion was about a different syscall, but the problem is
essentially the same, and all who commented on the subject more or less
vehemently rejected the idea of adding this kind of hacks into glibc.
Therefore, I think that change in ALT glibc has to be reconsidered,
and problematic container runtimes have to be fixed instead.
[3] https://sourceware.org/pipermail/libc-alpha/2021-February/123008.html
--
ldv
next prev parent reply other threads:[~2021-11-01 6:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-26 2:49 [PATCH ima-evm-utils 1/2] switch to using crun for podman Mimi Zohar
2021-10-26 2:49 ` [PATCH ima-evm-utils 2/2] upgrade to glibc-2.34 uses clone3 causing CI to fail Mimi Zohar
2021-10-26 14:30 ` Vitaly Chikunov
2021-10-26 22:07 ` Petr Vorel
2021-11-01 6:13 ` Dmitry V. Levin [this message]
2021-10-26 12:12 ` [PATCH ima-evm-utils 1/2] switch to using crun for podman Petr Vorel
2021-11-01 18:39 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211101061330.GA15373@altlinux.org \
--to=ldv@altlinux.org \
--cc=glebfm@altlinux.org \
--cc=linux-integrity@vger.kernel.org \
--cc=petr.vorel@gmail.com \
--cc=vt@altlinux.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.