| Message ID | 20211026024929.535519-2-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [ima-evm-utils,1/2] switch to using crun for podman | expand |
Mimi, On Mon, Oct 25, 2021 at 10:49:29PM -0400, Mimi Zohar wrote: > Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34, > causing the CI testing to fail. Disable seccomp (which is not needed > anyway, since GA uses throwable virtual environments anyway). JFYI. We decided to update our glibc package to fall-back from clone3 to clone in case it's EPERM. So, after some time (perhaps a day) this workaround will not be needed for ALT Linux. But this will not hurts either and may be beneficial in the future. Thanks, > > options: --security-opt seccomp=unconfined > > Suggested-by: Vitaly Chikunov <vt@altlinux.org> > Acked-by: Petr Vorel <petr.vorel@gmail.com> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > .github/workflows/ci.yml | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml > index 0931f2487d50..ad611ad914b4 100644 > --- a/.github/workflows/ci.yml > +++ b/.github/workflows/ci.yml > @@ -103,6 +103,7 @@ jobs: > container: > image: ${{ matrix.container }} > env: ${{ matrix.env }} > + options: --security-opt seccomp=unconfined > > steps: > - name: Show OS > -- > 2.27.0
Hi Vitaly, > Mimi, > On Mon, Oct 25, 2021 at 10:49:29PM -0400, Mimi Zohar wrote: > > Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34, > > causing the CI testing to fail. Disable seccomp (which is not needed > > anyway, since GA uses throwable virtual environments anyway). > JFYI. We decided to update our glibc package to fall-back from clone3 to > clone in case it's EPERM. So, after some time (perhaps a day) this > workaround will not be needed for ALT Linux. But this will not hurts > either and may be beneficial in the future. I see, 09e37c71 ("__clone_internal: fallback to clone(2)/clone2(2) if clone3(2) fails with EPERM" [1]. Interesting. Kind regards, Petr [1] http://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=09e37c7111e39b7c70846aea30941c03c43e6f54
Hi, On Tue, Oct 26, 2021 at 05:30:54PM +0300, Vitaly Chikunov wrote: > Mimi, > > On Mon, Oct 25, 2021 at 10:49:29PM -0400, Mimi Zohar wrote: > > Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34, > > causing the CI testing to fail. Disable seccomp (which is not needed > > anyway, since GA uses throwable virtual environments anyway). > > JFYI. We decided to update our glibc package to fall-back from clone3 to > clone in case it's EPERM. So, after some time (perhaps a day) this > workaround will not be needed for ALT Linux. But this will not hurts > either and may be beneficial in the future. Citing myself [3]: "you must have missed the whole discussion on this subject [1][2], the consensus was that problematic container runtimes need to be fixed to make their seccomp filters return ENOSYS for unknown syscalls. [1] https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html [2] https://lore.kernel.org/linux-api/87lfer2c0b.fsf@oldenburg2.str.redhat.com/T/#u " That discussion was about a different syscall, but the problem is essentially the same, and all who commented on the subject more or less vehemently rejected the idea of adding this kind of hacks into glibc. Therefore, I think that change in ALT glibc has to be reconsidered, and problematic container runtimes have to be fixed instead. [3] https://sourceware.org/pipermail/libc-alpha/2021-February/123008.html
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0931f2487d50..ad611ad914b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -103,6 +103,7 @@ jobs: container: image: ${{ matrix.container }} env: ${{ matrix.env }} + options: --security-opt seccomp=unconfined steps: - name: Show OS