"operation not permitted", a `libseccomp` story

This issue is to show example errors that happen when dockerd¹ and/or libseccomp[2]² are not up-to-date when using images based on a newer Linux distribution release.

TL;DR: libseccomp lets you configure allowed syscalls for a process. Docker sets a default seccomp profile for all containers such that only certain syscalls are allowed and everything else is blocked (so, newer syscalls that are not yet known to libseccomp or docker are blocked³).

verify that it is libseccomp by running the image with --security-opt seccomp=unconfined
- use this only as a test; it is less secure to keep running them "unconfined"
- learn more: https://docs.docker.com/engine/security/seccomp/
one fix:
- update libseccomp and docker on the host running the containers
one workaround:
- switch to an older image:
  
  Many Docker Official Images have tags that reference the Linux distribution and some DOI support two concurrently. Check their Docker Hub description to see which tags are currently maintained.
  
  for example, if 16 started failing when it moved to Debian Bookworm, then 16-bullseye is a valid workaround until the host can be updated. And similar for 16-alpine and 16-alpine3.19.

One example is that, on some platforms, tar -xzf file.tar.gz uses fchmodat2 in Alpine 3.20 and fails. This syscall isn't in Docker's seccomp profile until Docker 26.0.0, 25.0.3, 24.0.10, and 23.0.10 (see https://github.com/moby/moby/pull/47341 and linked backports).

example:

+ wget -O memcached.tar.gz [https://memcached.org/files/memcached-1.6.27.tar.gz](https://memcached.org/files/memcached-1.6.27.tar.gz)
Connecting to memcached.org (107.170.231.145:443)
saving to 'memcached.tar.gz'
memcached.tar.gz     100% |********************************| 1161k  0:00:00 ETA
'memcached.tar.gz' saved
+ echo 'baf2e7494e1f62d275ff29a99f270abbdb923f75  memcached.tar.gz'
+ sha1sum -c -
memcached.tar.gz: OK
+ mkdir -p /usr/src/memcached
+ tar -xzf memcached.tar.gz -C /usr/src/memcached '--strip-components=1'
tar: t/sasl: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: t/lib: Cannot change mode to rwxr-xr-x: Operation not permitted
tar: t: Cannot change mode to rwxr-xr-x: Operation not permitted
tar: m4: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: doc/xml2rfc: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: doc: Cannot change mode to rwxr-xr-x: Operation not permitted
...

other issues that are also a libseccomp denial:

related moby (docker) issue:

https://github.com/moby/moby/issues/40734

¹ runc and containerd should be up-to-date as well but are usually included as a dependency when updating Docker (engine)

² might even require a newer libseccomp[2] package than your distribution/release currently includes, such as needing 2.5.5+ for fchmodat2 (https://github.com/docker-library/official-images/issues/16830#issuecomment-2130971029, https://bugs.debian.org/1071822)

³ newer versions of docker and dependencies are being improved to block known syscalls (EPERM), but newer syscalls should get ENOSYS: https://github.com/moby/moby/issues/42871

docker-library / official-images

"operation not permitted", a `libseccomp` story #16829