* [PATCH ima-evm-utils 1/2] switch to using crun for podman
@ 2021-10-26 2:49 Mimi Zohar
2021-10-26 2:49 ` [PATCH ima-evm-utils 2/2] upgrade to glibc-2.34 uses clone3 causing CI to fail Mimi Zohar
2021-10-26 12:12 ` [PATCH ima-evm-utils 1/2] switch to using crun for podman Petr Vorel
0 siblings, 2 replies; 7+ messages in thread
From: Mimi Zohar @ 2021-10-26 2:49 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov
Fix for:
"container_linux.go:367: starting container process caused: error
adding seccomp filter rule for syscall bdflush: permission denied":
OCI permission denied"
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
.travis.yml | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 9d56c963ee03..ba652ceb32bc 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -32,7 +32,7 @@ matrix:
# glibc (gcc/clang)
- os: linux
- env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/runc --network=host" COMPILE_SSL=openssl-3.0.0-beta1
+ env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host" COMPILE_SSL=openssl-3.0.0-beta1
compiler: clang
- os: linux
@@ -72,7 +72,8 @@ matrix:
compiler: gcc
before_install:
- # Tumbleweed requires podman and newest runc due docker incompatible with glibc 2.33 (faccessat2)
+ # Tumbleweed requires podman due docker incompatible with glibc 2.33
+ # (faccessat2) and crun (for clone3).
- CONTAINER="${CONTAINER:-docker}"
- >
if [ "$CONTAINER" = "podman" ]; then
@@ -81,11 +82,7 @@ before_install:
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list"
wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_${VERSION_ID}/Release.key -O- | sudo apt-key add -
sudo apt update
- sudo apt -y install podman slirp4netns
-
- # runc
- sudo curl -L https://github.com/opencontainers/runc/releases/download/v1.0.0-rc93/runc.amd64 -o /usr/bin/runc
- sudo chmod +x /usr/bin/runc
+ sudo apt -y install podman slirp4netns crun
fi
- $CONTAINER info
--
2.27.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH ima-evm-utils 2/2] upgrade to glibc-2.34 uses clone3 causing CI to fail
2021-10-26 2:49 [PATCH ima-evm-utils 1/2] switch to using crun for podman Mimi Zohar
@ 2021-10-26 2:49 ` Mimi Zohar
2021-10-26 14:30 ` Vitaly Chikunov
2021-10-26 12:12 ` [PATCH ima-evm-utils 1/2] switch to using crun for podman Petr Vorel
1 sibling, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2021-10-26 2:49 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov
Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34,
causing the CI testing to fail. Disable seccomp (which is not needed
anyway, since GA uses throwable virtual environments anyway).
options: --security-opt seccomp=unconfined
Suggested-by: Vitaly Chikunov <vt@altlinux.org>
Acked-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
.github/workflows/ci.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0931f2487d50..ad611ad914b4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -103,6 +103,7 @@ jobs:
container:
image: ${{ matrix.container }}
env: ${{ matrix.env }}
+ options: --security-opt seccomp=unconfined
steps:
- name: Show OS
--
2.27.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH ima-evm-utils 2/2] upgrade to glibc-2.34 uses clone3 causing CI to fail
2021-10-26 2:49 ` [PATCH ima-evm-utils 2/2] upgrade to glibc-2.34 uses clone3 causing CI to fail Mimi Zohar
@ 2021-10-26 14:30 ` Vitaly Chikunov
2021-10-26 22:07 ` Petr Vorel
2021-11-01 6:13 ` Dmitry V. Levin
0 siblings, 2 replies; 7+ messages in thread
From: Vitaly Chikunov @ 2021-10-26 14:30 UTC (permalink / raw)
To: Mimi Zohar, linux-integrity
Cc: Petr Vorel, Gleb Fotengauer-Malinovskiy, Dmitry V. Levin
Mimi,
On Mon, Oct 25, 2021 at 10:49:29PM -0400, Mimi Zohar wrote:
> Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34,
> causing the CI testing to fail. Disable seccomp (which is not needed
> anyway, since GA uses throwable virtual environments anyway).
JFYI. We decided to update our glibc package to fall-back from clone3 to
clone in case it's EPERM. So, after some time (perhaps a day) this
workaround will not be needed for ALT Linux. But this will not hurts
either and may be beneficial in the future.
Thanks,
>
> options: --security-opt seccomp=unconfined
>
> Suggested-by: Vitaly Chikunov <vt@altlinux.org>
> Acked-by: Petr Vorel <petr.vorel@gmail.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> .github/workflows/ci.yml | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
> index 0931f2487d50..ad611ad914b4 100644
> --- a/.github/workflows/ci.yml
> +++ b/.github/workflows/ci.yml
> @@ -103,6 +103,7 @@ jobs:
> container:
> image: ${{ matrix.container }}
> env: ${{ matrix.env }}
> + options: --security-opt seccomp=unconfined
>
> steps:
> - name: Show OS
> --
> 2.27.0
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH ima-evm-utils 2/2] upgrade to glibc-2.34 uses clone3 causing CI to fail
2021-10-26 14:30 ` Vitaly Chikunov
@ 2021-10-26 22:07 ` Petr Vorel
2021-11-01 6:13 ` Dmitry V. Levin
1 sibling, 0 replies; 7+ messages in thread
From: Petr Vorel @ 2021-10-26 22:07 UTC (permalink / raw)
To: Vitaly Chikunov
Cc: Mimi Zohar, linux-integrity, Gleb Fotengauer-Malinovskiy,
Dmitry V. Levin
Hi Vitaly,
> Mimi,
> On Mon, Oct 25, 2021 at 10:49:29PM -0400, Mimi Zohar wrote:
> > Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34,
> > causing the CI testing to fail. Disable seccomp (which is not needed
> > anyway, since GA uses throwable virtual environments anyway).
> JFYI. We decided to update our glibc package to fall-back from clone3 to
> clone in case it's EPERM. So, after some time (perhaps a day) this
> workaround will not be needed for ALT Linux. But this will not hurts
> either and may be beneficial in the future.
I see, 09e37c71 ("__clone_internal: fallback to clone(2)/clone2(2) if clone3(2)
fails with EPERM" [1]. Interesting.
Kind regards,
Petr
[1] http://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=09e37c7111e39b7c70846aea30941c03c43e6f54
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH ima-evm-utils 2/2] upgrade to glibc-2.34 uses clone3 causing CI to fail
2021-10-26 14:30 ` Vitaly Chikunov
2021-10-26 22:07 ` Petr Vorel
@ 2021-11-01 6:13 ` Dmitry V. Levin
1 sibling, 0 replies; 7+ messages in thread
From: Dmitry V. Levin @ 2021-11-01 6:13 UTC (permalink / raw)
To: Vitaly Chikunov
Cc: Mimi Zohar, linux-integrity, Petr Vorel, Gleb Fotengauer-Malinovskiy
Hi,
On Tue, Oct 26, 2021 at 05:30:54PM +0300, Vitaly Chikunov wrote:
> Mimi,
>
> On Mon, Oct 25, 2021 at 10:49:29PM -0400, Mimi Zohar wrote:
> > Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34,
> > causing the CI testing to fail. Disable seccomp (which is not needed
> > anyway, since GA uses throwable virtual environments anyway).
>
> JFYI. We decided to update our glibc package to fall-back from clone3 to
> clone in case it's EPERM. So, after some time (perhaps a day) this
> workaround will not be needed for ALT Linux. But this will not hurts
> either and may be beneficial in the future.
Citing myself [3]:
"you must have missed the whole discussion on this subject [1][2],
the consensus was that problematic container runtimes need to be fixed
to make their seccomp filters return ENOSYS for unknown syscalls.
[1] https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html
[2] https://lore.kernel.org/linux-api/87lfer2c0b.fsf@oldenburg2.str.redhat.com/T/#u
"
That discussion was about a different syscall, but the problem is
essentially the same, and all who commented on the subject more or less
vehemently rejected the idea of adding this kind of hacks into glibc.
Therefore, I think that change in ALT glibc has to be reconsidered,
and problematic container runtimes have to be fixed instead.
[3] https://sourceware.org/pipermail/libc-alpha/2021-February/123008.html
--
ldv
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ima-evm-utils 1/2] switch to using crun for podman
2021-10-26 2:49 [PATCH ima-evm-utils 1/2] switch to using crun for podman Mimi Zohar
2021-10-26 2:49 ` [PATCH ima-evm-utils 2/2] upgrade to glibc-2.34 uses clone3 causing CI to fail Mimi Zohar
@ 2021-10-26 12:12 ` Petr Vorel
2021-11-01 18:39 ` Mimi Zohar
1 sibling, 1 reply; 7+ messages in thread
From: Petr Vorel @ 2021-10-26 12:12 UTC (permalink / raw)
To: Mimi Zohar; +Cc: linux-integrity, Vitaly Chikunov
Hi Mimi,
> Fix for:
> "container_linux.go:367: starting container process caused: error
> adding seccomp filter rule for syscall bdflush: permission denied":
> OCI permission denied"
I was surprised crun is updated but runc not, but LGTM.
It'd be nice if somebody test it with public travis (I no longer have access).
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
IMHO from a long term perspective it'd be nice to create GitHub Actions profile
(but that's not related to this patchset).
Kind regards,
Petr
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ima-evm-utils 1/2] switch to using crun for podman
2021-10-26 12:12 ` [PATCH ima-evm-utils 1/2] switch to using crun for podman Petr Vorel
@ 2021-11-01 18:39 ` Mimi Zohar
0 siblings, 0 replies; 7+ messages in thread
From: Mimi Zohar @ 2021-11-01 18:39 UTC (permalink / raw)
To: Petr Vorel; +Cc: linux-integrity, Vitaly Chikunov
Hi Petr,
On Tue, 2021-10-26 at 14:12 +0200, Petr Vorel wrote:
> Hi Mimi,
>
> > Fix for:
>
> > "container_linux.go:367: starting container process caused: error
> > adding seccomp filter rule for syscall bdflush: permission denied":
> > OCI permission denied"
>
> I was surprised crun is updated but runc not, but LGTM.
> It'd be nice if somebody test it with public travis (I no longer have access).
Stefan tested on the public travis, which resulted in updating Alpine,
Fedora, and Alt to use podman and crun. Other than the alt:sisyphus
image prompt, the tests all pass. I assume this is intermittent.
Please select an image:
▸ docker.io/library/alt:sisyphus
quay.io/alt:sisyphus
>
> Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
thanks!
Mimi
>
> IMHO from a long term perspective it'd be nice to create GitHub Actions profile
> (but that's not related to this patchset).
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-11-01 18:39 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-26 2:49 [PATCH ima-evm-utils 1/2] switch to using crun for podman Mimi Zohar
2021-10-26 2:49 ` [PATCH ima-evm-utils 2/2] upgrade to glibc-2.34 uses clone3 causing CI to fail Mimi Zohar
2021-10-26 14:30 ` Vitaly Chikunov
2021-10-26 22:07 ` Petr Vorel
2021-11-01 6:13 ` Dmitry V. Levin
2021-10-26 12:12 ` [PATCH ima-evm-utils 1/2] switch to using crun for podman Petr Vorel
2021-11-01 18:39 ` Mimi Zohar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.