runsc --platform=systrap fails with "panic: seccomp failed: invalid argument"

q53 commented 2 weeks ago

Description

# cat /etc/docker/daemon.json
{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc",
            "runtimeArgs": [
                "--platform=systrap"
            ]
        },
        "runsc-ptrace": {
            "path": "/usr/local/bin/runsc",
            "runtimeArgs": [
                "--platform=ptrace"
            ]
        },

        "runsc-kvm": {
            "path": "/usr/local/bin/runsc",
            "runtimeArgs": [
                "--platform=kvm"
            ]
        },

        "runsc-debug": {
            "path": "/usr/local/bin/runsc",
            "runtimeArgs": [
                "--platform=systrap",
                "--debug",
                "--debug-log=/tmp/runsc-debug.log"
            ]
        }
    }
}

# runsc --version
runsc version release-20240624.0
spec: 1.1.0-rc.1

## uname -r
4.18.0-425.10.1.el8_7.x86_64

# cat /etc/redhat-release 
AlmaLinux release 8.8 (Sapphire Caracal)

# docker -D -l debug run -i --runtime runsc  --rm --name=test docker.io/library/registry:latest 
DEBU[0000] [hijack] End of stdout

At least release-20240305.0 is not affected. Works without issues on Rocky Linux release 9.4 5.14.0-427.13.1.el9_4.x86_64.

Steps to reproduce

docker -D -l debug run -i --runtime runsc --rm --name=test docker.io/library/registry:latest

runsc version

release-20240624.0

docker version (if using docker)

Client: Docker Engine - Community
 Version:    26.1.3
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
  scan: Docker Scan (Docker Inc.)
    Version:  v0.23.0
    Path:     /usr/libexec/docker/cli-plugins/docker-scan

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 26.1.3
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc runsc runsc-debug runsc-kvm runsc-ptrace
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 61f9fd88f79f081d64d6fa3bb1a0dc71ec870523
 runc version: v1.1.9-0-gccaecfc
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
 Kernel Version: 4.18.0-425.10.1.el8_7.x86_64
 Operating System: AlmaLinux 8.8 (Sapphire Caracal)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 17.34GiB
 Name: localhost
 ID: 83a369a6-cf0a-4b50-acac-9d12021b3b66
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: dockerq53
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

uname

4.18.0-425.10.1.el8_7.x86_64 #1 SMP Thu Jan 12 10:05:00 EST 2023

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

runsc-debug.log

EtiennePerot commented 2 weeks ago

It looks like it's failing in installSeccompNotify, which uses SECCOMP_IOCTL_NOTIF_* in seccomp rules. I think this was introduced in https://github.com/google/gvisor/commit/32bbb188230a1c2926c36b681b612e12e1145701 and depends on a kernel feature that was introduced in Linux 5.0.

@avagin, should this either have fallback code for older kernels, or should Systrap explicitly drop support for old kernels? (Linux 5.0 is more than a half-decade old.)

avagin commented 1 week ago

@q53 The fix has been commited. Could you verify that it works in your environment?

q53 commented 1 week ago

@avagin Looks like it works.

google / gvisor