Code with Eio.Process.spawn fails with “clone3 not implemented”

[smondet]

It's a case of “it works on my laptop but fails in the CI (AWS + Docker)” ;)

In the container all calls fail with:

Unix-error: Function not implemented (function: "clone3", argument: "")

This is the host's info:

$ uname -a
Linux 770143d8f119 5.15.0-1031-aws #35-Ubuntu SMP Fri Feb 10 02:07:18 UTC 2023 x86_64 GNU/Linux

If I replace Eio_main with Eio_posix it seems to work.

[talex5]

Looks like Docker's default security policy blocks it. I guess we'll need to add a work-around for this.

[avsm]

What version of docker is that, @smondet?

[smondet]

It's what apt gives me in the default Ubuntu 22.04 LTS image in EC2's “click yes almost everywhere” console :)

$ docker --version
Docker version 20.10.21, build 20.10.21-0ubuntu1~22.04.3

[talex5]

It looks like Docker's "fix" for clone3 support (in https://github.com/moby/moby/pull/42836/files) was actually just changing the return value from EPERM to ENOSYS.

[avsm]

https://github.com/moby/moby/pull/42681#issuecomment-916325271 explains the reasoning behind this decision more. I guess we also need to fallback to clone, but consider what usecases are only possible with clone3 in order to consider a future case to opening up the 'docker syscall firewall'.