On 2021-02-26, Dmitry V. Levin wrote: > On Thu, Feb 25, 2021 at 08:47:02PM +0100, Petr Vorel wrote: > > 3d3ab573a5 ("Linux: Use faccessat2 to implement faccessat (bug 18683)") > > started to use faccessat2() which breaks docker/podman/... containers > > with guest running glibc 2.33 running on host with older kernel and are > > built with older libseccomp. > > > > See also: https://bugzilla.opensuse.org/show_bug.cgi?id=1182451#c17 > > > > Signed-off-by: Petr Vorel > > --- > > Hi, > > > > I admit that this is a very ugly workaround and wouldn't be surprised if > > you just don't care about seccomp() incompatibilities. But it'd be nice > > to have unified approach for this incompatibility, as it hits any distro > > with glibc 2.33 (currently openSUSE Tumbleweed, Arch Linux, Fedora > > rawhide). And after some time (when old LTS distros EOL) this crap could be removed. > > > > More info: > > https://github.com/opencontainers/runc/pull/2750 > > https://github.com/seccomp/libseccomp/issues/314 > > > > Kind regards, > > Petr > > Petr, you must have missed the whole discussion on this subject [1][2], > the consensus was that problematic container runtimes need to be fixed > to make their seccomp filters return ENOSYS for unknown syscalls. It should also be noted that we fixed this in runc a month ago[1], which means that it's up to distributions and cloud vendors to update their runc packages to the latest version or backport the patch. Docker's packaging hasn't been updated to use the latest runc yet (that'll happen in the next patch release), but distributions can ship newer runc versions -- that's what we do in openSUSE. [1]: https://github.com/opencontainers/runc/pull/2750 -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH