Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Podman v3.2.0 does not load internal seccomp profile any more #10556

Closed
saschagrunert opened this issue Jun 4, 2021 · 6 comments · Fixed by containers/common#604
Closed

Podman v3.2.0 does not load internal seccomp profile any more #10556

saschagrunert opened this issue Jun 4, 2021 · 6 comments · Fixed by containers/common#604
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@saschagrunert
Copy link
Member

saschagrunert commented Jun 4, 2021

/kind bug

Description

Podman v3.1.2 did load the internal seccomp profile (struct) if the seccomp.json was not present on disk. This behavior has changed in v3.2.0.

Steps to reproduce the issue:

On a system where /usr/share/containers/seccomp.json is not available:

> podman run -it alpine:latest echo
Error: opening seccomp profile failed: open /usr/share/containers/seccomp.json: no such file or directory

Describe the results you expected:

With Podman v3.1.2:

> podman run --log-level=debug -it alpine:latest echo 2>&1 | rg "default seccomp"
time="2021-06-04T09:43:26+02:00" level=debug msg="Loading default seccomp profile"

Additional information you deem important (e.g. issue happens only occasionally):

/etc/containers/containers.conf has no seccomp profile specified.

Output of podman version:

Version:      3.2.0
API Version:  3.2.0
Go Version:   go1.16.4
Git Commit:   0281ef262dd0ffae28b5fa5e4bdf545f93c08dc7
Built:        Tue Jan  1 01:00:00 1980
OS/Arch:      linux/amd64
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 4, 2021
@Luap99
Copy link
Member

Luap99 commented Jun 4, 2021

bad commit 18cb17f
I think we have to leave the default seccomp path empty in c/common. https://github.com/containers/common/blob/86254d6d63e08f14a8c4d66a6ca40089bec8a01e/pkg/config/default.go#L201

Luap99 added a commit to Luap99/common that referenced this issue Jun 4, 2021
The default path should be empty in order for podman to distinguish
between a path the was explicity or to use the default (in memory)
profile.

Fixes: containers/podman#10556

Signed-off-by: Paul Holzinger <[email protected]>
@Luap99
Copy link
Member

Luap99 commented Jun 4, 2021

containers/common#604 to fix

@mheon
Copy link
Member

mheon commented Jun 4, 2021

Any way we can test this in CI? I imagine the VMs probably have a seccomp.json because we're using the standard packaged configs on them - maybe we can remove it for one of the tests?

Regardless, this sounds like a good reason to spin up a quick 3.2.1 early next week.

@vrothberg
Copy link
Member

Reopened as it's not yet in Podman. Also need to create backports here and in c/common.

mgoltzsche added a commit to mgoltzsche/podman-static that referenced this issue Jun 4, 2021
Applying the image fix of #9 to the tar release as well in order to work around containers/podman#10556.
@srbala
Copy link

srbala commented Jun 4, 2021

Using following temp work around until this issue being resolved.

mkdir -p /usr/share/containers; \	
wget -O /usr/share/containers/seccomp.json https://src.fedoraproject.org/rpms/containers-common/raw/rawhide/f/seccomp.json ;

vrothberg pushed a commit to vrothberg/common that referenced this issue Jun 8, 2021
The default path should be empty in order for podman to distinguish
between a path the was explicitly or to use the default (in memory)
profile.

Fixes: containers/podman#10556

Signed-off-by: Paul Holzinger <[email protected]>
Backported-by: Valentin Rothberg <[email protected]>
@vrothberg
Copy link
Member

containers/common#608 for the c/common backports

vrothberg added a commit to vrothberg/libpod that referenced this issue Jun 9, 2021
Fixes the seccomp-profile regression in v3.2

Fixes: containers#10556
Signed-off-by: Valentin Rothberg <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants