jackusm
commented
7 years ago Not sure if there's a 'proper' way to have this work but adding --security-opt=seccomp=unconfined to the docker command works.
Closed jackusm closed 7 years ago
jackusm
commented
7 years ago Not sure if there's a 'proper' way to have this work but adding --security-opt=seccomp=unconfined to the docker command works.
bencawkwell
commented
7 years ago Thanks for reporting this, and adding a temporary workaround. Can you please just confirm which version of docker you are using, and if you made any changes to the Dockerfile?
jackusm
commented
7 years ago I set to use XPRA and GITWATCH other than that no changes. Docker version 1.12.6, build 78d18021ec
bencawkwell
commented
7 years ago So I have done some research, and discovered that there is something called Seccomp security profiles for Docker (https://docs.docker.com/engine/security/seccomp/). The reason I am unable to reproduce this issue myself is because I run a build of docker that most probably was not built with seccomp.
I discovered this from http://www.bay12forums.com/smf/index.php?topic=145944.245;wap2, which mentions that "personality" is one of the system calls being blocked by default. This page also mentions the same workaround, to add --security-opt=seccomp=unconfined to the docker command.
Right now I can think of two choices:
Looking at other projects that have run into a similar issue (https://github.com/jlund/docker-chrome-pulseaudio/issues/8, and https://github.com/solita/docker-systemd) we see one of the above choices being used.
Option number 2 to me does not sound feasible in the long term, so for now I think the best option is to document the workaround. Hopefully as this feature becomes more common a better method to enable certain system calls for Dockerfiles turns up.
Trying to run the container I get this error and it exits