Closed mtelvers closed 1 month ago
Celebrations may be premature as Docker BuildKit ignores the seccomp profile set on the daemon and instead uses the default profile at all times. Running the steps manually via docker run
now works, but docker build .
does not, unless we run BUILDKIT=0 docker build .
We happened to talk thru this just now. Sharing the upshot, mostly just notes on stuff @mtelvers explained to me:
Along the way we also looked at Dockerfile_opam.Distro.distro_arched
and concluded that this is definitely not the place to remove support for riscv (if we need to), because -- in our reading -- the intended semantics of that function is based on the architectures supported by the distro, without regard to the particular build of docker you happen to be running to build. So if (2) proves necessary, we will filter out the architecture in the build pipeline.
Docker's default build, make build
, uses Docker and does not support RISCV. However, scripts are provided to build Docker from scratch. In a minimal set of steps:-
apt install golang
git clone https://github.com/moby/moby
cd moby
AUTO_GOPATH=1 ./hack/make.sh binary
mv bundles/binary-daemon/* /usr/bin/
service docker restart
Upgrade libseccomp2 >= 2.5.5 and upgrade Docker >= 25.0.3
On POWER9 and RISCV, we are unable to extract files from a tar file when using a Ubuntu Noble. Running the same commands using
ubuntu:jammy
works fine.This issue prevents the merging of https://github.com/ocurrent/docker-base-images/pull/275, and the RISCV64 image builder here: https://github.com/mtelvers/docker-base-images/pull/1.
Running
strace
shows the issue.The relevant part of the output shows
fchmodat2
returnedEPERM
.If you run
strace
without Docker you see a different behaviour:The problem can be attributed to Docker's seccomp profile. A quick work around is to invoke Docker without a seccomp profile. Like this:
docker run --rm -it --security-opt seccomp=unconfined ubuntu:noble
. With no profile,fchmodat2
returnsENOSYS
and tar works correctly.Armed with this investigation there are lots of related posts
Ultimately, the comment from here
and the reply, give us a solution.
Viz., the developers have resolved the problem with the release of
libseccomp
v2.5.5 and Docker 25.0.3+. However, on Ubuntu Noble, we have the right version oflibseccomp
, 2.5.5-1ubuntu3, but only Docker 24.0.7-0ubuntu4.We need to run Docker 24.0.7 with the updated seccomp profile from Docker 25.0.3:-