search

rootless-containers / slirp4netns

User-mode networking for unprivileged network namespaces
GNU General Public License v2.0
745 stars 83 forks source link

seccomp: do not fail on error from seccomp_arch_add() #219

Closed AkihiroSuda closed 4 years ago

AkihiroSuda commented 4 years ago

Fix https://github.com/containers/podman/issues/6922

AkihiroSuda commented 4 years ago

@giusepe @leo-lb @twagtig PTAL (also let me know the new WARNING output result

llebout commented 4 years ago

@AkihiroSuda How can I get an RPM to install with this new change? Is there a script?

llebout commented 4 years ago

I see this: https://github.com/containers/podman/blob/master/contrib/build_rpm.sh

I will try

AkihiroSuda commented 4 years ago

I don't know how to build RPM, but you can install slirp4netns from the source: https://github.com/rootless-containers/slirp4netns#install-from-source

AkihiroSuda commented 4 years ago

I see this: https://github.com/containers/podman/blob/master/contrib/build_rpm.sh

This one seems for Podman, not for slirp4netns

llebout commented 4 years ago

@AkihiroSuda I thought it bundled both but probably not you're right.

llebout commented 4 years ago

@AkihiroSuda

Works, full log:

$ podman run --log-level debug --rm -it alpine /bin/sh
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level debug --rm -it alpine /bin/sh) 
DEBU[0000] Found deprecated file /home/jdoe/.config/containers/containers.conf, please remove. Use /home/jdoe/.config/containers/containers.conf to override defaults. 
DEBU[0000] Reading configuration file "/home/jdoe/.config/containers/libpod.conf" 
DEBU[0000] Ignoring libpod.conf EventsLogger setting "/home/jdoe/.config/containers/containers.conf". Use "journald" if you want to change this setting and remove libpod.conf files. 
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf" 
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{{[] [] containers-default-0.14.4 [] private enabled [CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] [] []  [] [] [] true [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] false false false  private k8s-file -1 slirp4netns false 2048 private /usr/share/containers/seccomp.json 65536k private host 65536} {true cgroupfs [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] [/usr/libexec/podman/conmon /usr/libexec/crio/conmon /usr/local/lib/podman/conmon /usr/local/libexec/crio/conmon /usr/bin/conmon /usr/sbin/conmon /usr/lib/podman/bin/conmon /usr/lib/crio/bin/conmon] ctrl-p,ctrl-q true /run/user/1000/libpod/tmp/events/events.log file [/usr/share/containers/oci/hooks.d] docker:// /pause k8s.gcr.io/pause:3.1 /usr/libexec/podman/catatonit shm   false 2048 /usr/bin/crun map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc]] missing false   [] [crun runc] [crun] [kata kata-runtime kata-qemu kata-fc] {false false false false false false} /etc/containers/policy.json false 3 /home/jdoe/.local/share/containers/storage/libpod 10 /run/user/1000/libpod/tmp /home/jdoe/.local/share/containers/storage/volumes} {[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] podman /etc/cni/net.d/}} 
DEBU[0000] Using conmon: "/usr/libexec/crio/conmon"     
DEBU[0000] Initializing boltdb state at /home/jdoe/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/jdoe/.local/share/containers/storage 
DEBU[0000] Using run root /tmp/1000                     
DEBU[0000] Using static dir /home/jdoe/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp      
DEBU[0000] Using volume path /home/jdoe/.local/share/containers/storage/volumes 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false 
DEBU[0000] Initializing event backend file              
DEBU[0000] using runtime "/usr/bin/runc"                
DEBU[0000] using runtime "/usr/bin/crun"                
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] using runtime "/usr/bin/crun"                
INFO[0000] Setting parallel job count to 193            
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] No hostname set; container's hostname will default to runtime default 
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json" 
DEBU[0000] Allocated lock 10 for container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] created container "a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" 
DEBU[0000] container "a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" has work directory "/home/jdoe/.local/share/containers/storage/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata" 
DEBU[0000] container "a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" has run directory "/tmp/1000/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata" 
DEBU[0000] container "a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" has CgroupParent "/libpod_parent/libpod-a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" 
DEBU[0000] Handling terminal attach                     
DEBU[0000] overlay: mount_data=lowerdir=/home/jdoe/.local/share/containers/storage/overlay/l/GCN4R5HA6G4EJ6W4HJTT4FRZZU,upperdir=/home/jdoe/.local/share/containers/storage/overlay/a8115da6167bcf186bb465f2422b8036a37c67ca7fbf67b73e859b733cd55d64/diff,workdir=/home/jdoe/.local/share/containers/storage/overlay/a8115da6167bcf186bb465f2422b8036a37c67ca7fbf67b73e859b733cd55d64/work,context="system_u:object_r:container_file_t:s0:c885,c964" 
DEBU[0000] Made network namespace at /run/user/1000/netns/cni-d9783600-a7df-16c6-6886-55cc51030443 for container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 
DEBU[0000] mounted container "a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749" at "/home/jdoe/.local/share/containers/storage/overlay/a8115da6167bcf186bb465f2422b8036a37c67ca7fbf67b73e859b733cd55d64/merged" 
DEBU[0000] slirp4netns command: /usr/local/bin/slirp4netns --disable-host-loopback --mtu 65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-d9783600-a7df-16c6-6886-55cc51030443 tap0 
DEBU[0000] Created root filesystem for container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 at /home/jdoe/.local/share/containers/storage/overlay/a8115da6167bcf186bb465f2422b8036a37c67ca7fbf67b73e859b733cd55d64/merged 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode secret 
DEBU[0000] Setting CGroup path for container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 to /libpod_parent/libpod-a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d 
DEBU[0000] Created OCI spec for container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 at /home/jdoe/.local/share/containers/storage/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata/config.json 
DEBU[0000] /usr/libexec/crio/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /usr/libexec/crio/conmon      args="[--api-version 1 -c a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 -u a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 -r /usr/bin/crun -b /home/jdoe/.local/share/containers/storage/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata -p /tmp/1000/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata/pidfile -n serene_hellman --exit-dir /run/user/1000/libpod/tmp/exits --socket-dir-path /run/user/1000/libpod/tmp/socket -l k8s-file:/home/jdoe/.local/share/containers/storage/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata/ctr.log --log-level debug --syslog -t --conmon-pidfile /tmp/1000/overlay-containers/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/jdoe/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /tmp/1000 --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /run/user/1000/libpod/tmp --exit-command-arg --runtime --exit-command-arg /usr/bin/crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --storage-opt --exit-command-arg overlay.mount_program=/usr/bin/fuse-overlayfs --exit-command-arg --storage-opt --exit-command-arg overlay.mount_program=/usr/bin/fuse-overlayfs --exit-command-arg --events-backend --exit-command-arg file --exit-command-arg --syslog --exit-command-arg true --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749]"
DEBU[0000] Received: 97118                              
INFO[0000] Got Conmon PID as 97114                      
DEBU[0000] Created container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 in OCI runtime 
DEBU[0000] Attaching to container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 
DEBU[0000] connecting to socket /run/user/1000/libpod/tmp/socket/a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749/attach 
DEBU[0000] Received a resize event: {Width:141 Height:43} 
DEBU[0000] Starting container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 with command [/bin/sh] 
DEBU[0000] Started container a9005ff05b8e4659519c705b6590ffd64cde434cc9145606ded713718e0ac749 
/ #

If I run: sudo make uninstall and execute the same command:

$ podman run --log-level debug --rm -it alpine /bin/sh
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level debug --rm -it alpine /bin/sh) 
DEBU[0000] Found deprecated file /home/jdoe/.config/containers/containers.conf, please remove. Use /home/jdoe/.config/containers/containers.conf to override defaults. 
DEBU[0000] Reading configuration file "/home/jdoe/.config/containers/libpod.conf" 
DEBU[0000] Ignoring libpod.conf EventsLogger setting "/home/jdoe/.config/containers/containers.conf". Use "journald" if you want to change this setting and remove libpod.conf files. 
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf" 
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{{[] [] containers-default-0.14.4 [] private enabled [CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] [] []  [] [] [] true [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] false false false  private k8s-file -1 slirp4netns false 2048 private /usr/share/containers/seccomp.json 65536k private host 65536} {true cgroupfs [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] [/usr/libexec/podman/conmon /usr/libexec/crio/conmon /usr/local/lib/podman/conmon /usr/local/libexec/crio/conmon /usr/bin/conmon /usr/sbin/conmon /usr/lib/podman/bin/conmon /usr/lib/crio/bin/conmon] ctrl-p,ctrl-q true /run/user/1000/libpod/tmp/events/events.log file [/usr/share/containers/oci/hooks.d] docker:// /pause k8s.gcr.io/pause:3.1 /usr/libexec/podman/catatonit shm   false 2048 /usr/bin/crun map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc]] missing false   [] [crun runc] [crun] [kata kata-runtime kata-qemu kata-fc] {false false false false false false} /etc/containers/policy.json false 3 /home/jdoe/.local/share/containers/storage/libpod 10 /run/user/1000/libpod/tmp /home/jdoe/.local/share/containers/storage/volumes} {[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] podman /etc/cni/net.d/}} 
DEBU[0000] Using conmon: "/usr/libexec/crio/conmon"     
DEBU[0000] Initializing boltdb state at /home/jdoe/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/jdoe/.local/share/containers/storage 
DEBU[0000] Using run root /tmp/1000                     
DEBU[0000] Using static dir /home/jdoe/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp      
DEBU[0000] Using volume path /home/jdoe/.local/share/containers/storage/volumes 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false 
DEBU[0000] Initializing event backend file              
DEBU[0000] using runtime "/usr/bin/runc"                
DEBU[0000] using runtime "/usr/bin/crun"                
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] using runtime "/usr/bin/crun"                
INFO[0000] Setting parallel job count to 193            
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest" 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] No hostname set; container's hostname will default to runtime default 
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json" 
DEBU[0000] Allocated lock 10 for container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0000] parsed reference into "[overlay@/home/jdoe/.local/share/containers/storage+/tmp/1000:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]@f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] exporting opaque data as blob "sha256:f1f78a099f1d40ed0068b1a512011cd4fca6f5f13db0d87b37421f7fe3159d8c" 
DEBU[0000] created container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" 
DEBU[0000] container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" has work directory "/home/jdoe/.local/share/containers/storage/overlay-containers/41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf/userdata" 
DEBU[0000] container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" has run directory "/tmp/1000/overlay-containers/41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf/userdata" 
DEBU[0000] container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" has CgroupParent "/libpod_parent/libpod-41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" 
DEBU[0000] Handling terminal attach                     
DEBU[0000] overlay: mount_data=lowerdir=/home/jdoe/.local/share/containers/storage/overlay/l/GCN4R5HA6G4EJ6W4HJTT4FRZZU,upperdir=/home/jdoe/.local/share/containers/storage/overlay/de40db8e7707a061afc6230637d3af25cdd27098c47ebcf94540ffb79a4ab7a2/diff,workdir=/home/jdoe/.local/share/containers/storage/overlay/de40db8e7707a061afc6230637d3af25cdd27098c47ebcf94540ffb79a4ab7a2/work,context="system_u:object_r:container_file_t:s0:c152,c229" 
DEBU[0000] Made network namespace at /run/user/1000/netns/cni-e0547698-04cd-86c8-c8dc-f8fe8c7e14cf for container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0000] mounted container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" at "/home/jdoe/.local/share/containers/storage/overlay/de40db8e7707a061afc6230637d3af25cdd27098c47ebcf94540ffb79a4ab7a2/merged" 
DEBU[0000] slirp4netns command: /usr/bin/slirp4netns --disable-host-loopback --mtu 65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-e0547698-04cd-86c8-c8dc-f8fe8c7e14cf tap0 
DEBU[0001] Created root filesystem for container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf at /home/jdoe/.local/share/containers/storage/overlay/de40db8e7707a061afc6230637d3af25cdd27098c47ebcf94540ffb79a4ab7a2/merged 
DEBU[0001] unmounted container "41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf" 
DEBU[0001] Tearing down network namespace at /run/user/1000/netns/cni-e0547698-04cd-86c8-c8dc-f8fe8c7e14cf for container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0001] Cleaning up container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0001] Network is already cleaned up, skipping...   
DEBU[0001] Container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf storage is already unmounted, skipping... 
DEBU[0001] Removing container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0001] Removing all exec sessions for container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0001] Cleaning up container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf 
DEBU[0001] Network is already cleaned up, skipping...   
DEBU[0001] Container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf storage is already unmounted, skipping... 
DEBU[0001] Container 41d92ec7ec4fa912f640d62b189b71ef5f6c7b14f411e2d931ceba0327c845cf storage is already unmounted, skipping... 
DEBU[0001] ExitCode msg: "/usr/bin/slirp4netns failed: \"sent tapfd=7 for tap0\\nwarning: support for seccomp is experimental\\nreceived tapfd=7\\nseccomp: can't add extra arch (i=0)\\nenable_seccomp failed\\ndo_slirp is exiting\\ndo_slirp failed\\nparent failed\\nwarning: support for seccomp is experimental\\nstarting slirp\\n* mtu:             65520\\n* network:         10.0.2.0\\n* netmask:         255.255.255.0\\n* gateway:         10.0.2.2\\n* dns:             10.0.2.3\\n* recommended ip:  10.0.2.100\\n\"" 
Error: /usr/bin/slirp4netns failed: "sent tapfd=7 for tap0\nWARNING: Support for seccomp is experimental\nreceived tapfd=7\nseccomp: can't add extra arch (i=0)\nenable_seccomp failed\ndo_slirp is exiting\ndo_slirp failed\nparent failed\nWARNING: Support for seccomp is experimental\nStarting slirp\n* MTU:             65520\n* Network:         10.0.2.0\n* Netmask:         255.255.255.0\n* Gateway:         10.0.2.2\n* DNS:             10.0.2.3\n* Recommended IP:  10.0.2.100\n"

This confirms that this PR fixes the issue.

AkihiroSuda commented 4 years ago

Thanks, could you also try https://github.com/rootless-containers/slirp4netns#usage but with --enable-seccomp?

I want to know the output of the newly added strerror()

llebout commented 4 years ago

@AkihiroSuda 

$ slirp4netns --configure --mtu=65520 --enable-seccomp --disable-host-loopback $(cat /tmp/pid) tap0
WARNING: Support for seccomp is experimental
sent tapfd=5 for tap0
received tapfd=5
Starting slirp
* MTU:             65520
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* Recommended IP:  10.0.2.100
seccomp: WARNING: can't add extra arch (i=0): Success
seccomp: The following syscalls will be blocked by seccomp: execve execveat open_by_handle_at ptrace prctl process_vm_readv process_vm_writev mount name_to_handle_at setns umount umount2 unshare.

And network access works in the namespace

AkihiroSuda commented 4 years ago

Thank, but the Success error is weird 🤔

AkihiroSuda commented 4 years ago

Sorry please try this

diff --git a/seccompfilter.c b/seccompfilter.c
index 3de6b95..edd3cfb 100644
--- a/seccompfilter.c
+++ b/seccompfilter.c
@@ -20,7 +20,7 @@ int enable_seccomp()
         if (rc < 0 && rc != -EEXIST) {
             fprintf(stderr,
                     "seccomp: WARNING: can't add extra arch (i=%d): %s\n", i,
-                    strerror(errno));
+                    strerror(-rc));
         }
     }
     printf("seccomp: The following syscalls will be blocked by seccomp:");
llebout commented 4 years ago

@AkihiroSuda 

$ slirp4netns --configure --mtu=65520 --enable-seccomp --disable-host-loopback $(cat /tmp/pid) tap0
WARNING: Support for seccomp is experimental
sent tapfd=5 for tap0
received tapfd=5
Starting slirp
* MTU:             65520
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* Recommended IP:  10.0.2.100
seccomp: WARNING: can't add extra arch (i=0): Numerical argument out of domain
seccomp: The following syscalls will be blocked by seccomp: execve execveat open_by_handle_at ptrace prctl process_vm_readv process_vm_writev mount name_to_handle_at setns umount umount2 unshare.
AkihiroSuda commented 4 years ago

Thanks, never heard of this errno :eyes: > Numerical argument out of domain

llebout commented 4 years ago

@AkihiroSuda Me neither.