The s390x architecture requires an extra seccomp masked_eq rule to allow clone syscalls. This rule is present in cri-o's default configuration, but is missing in the configuration generated by opencontainers/runtime-tools. This causes syscalls to clone to be rejected by seccomp in cri-o subsystems which utilize this generated seccomp profile.
This issue affects the ose-pod container in openshift. When cri-o tries to instantiate /usr/bin/pod on s390x during the openshifft bootstrap, there is a clone syscall in the golang runtime startup which fails with a Permission Denied error. This prevents containers from being instantiated by the bootstrap kubelet, causing the openshift bootstrap to fail.
The s390x architecture requires an extra seccomp masked_eq rule to allow
clonesyscalls. This rule is present in cri-o's default configuration, but is missing in the configuration generated by opencontainers/runtime-tools. This causes syscalls tocloneto be rejected by seccomp in cri-o subsystems which utilize this generated seccomp profile.This issue affects the ose-pod container in openshift. When cri-o tries to instantiate /usr/bin/pod on s390x during the openshifft bootstrap, there is a
clonesyscall in the golang runtime startup which fails with a Permission Denied error. This prevents containers from being instantiated by the bootstrap kubelet, causing the openshift bootstrap to fail.