Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

weird seccomp caching bug, causes bud-runtime-flag test to flake #1475

Closed
edsantiago opened this issue May 29, 2024 · 4 comments
Closed

weird seccomp caching bug, causes bud-runtime-flag test to flake #1475

edsantiago opened this issue May 29, 2024 · 4 comments

Comments

@edsantiago
Copy link
Member

Very weird:

✗ bud with --runtime and --runtime-flag
...
  $ bin/buildah build --runtime=crun --runtime-flag=debug --security-opt seccomp=/var/tmp/buildah_tests.q0vl4f/seccomp.json -q -t alpine-bud-crun --signature-policy tests/policy.json --file /var/tmp/buildah_tests.q0vl4f/my-dir/Containerfile .
   aeae403933820e50439e06b44cda206d50555c7b24ca002f813f35efc0aaad77
   #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
   #|     FAIL: buildah build --runtime=crun .....
   #| expected: =~ 'unknown seccomp syscall'
   #|   actual:    'aeae403933820e50439e06b44cda206d50555c7b24ca002f813f35efc0aaad77'
   #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Reproducer:

$ cat >foo.json <<EOF
{
    "defaultAction": "SCMP_ACT_ALLOW",
    "syscalls": [
      {
        "name": "unknown1",
        "action": "SCMP_ACT_KILL"
            }
    ]
}
EOF

$ printf "FROM alpine\nRUN echo hello\n" | bin/buildah build --runtime=crun --runtime-flag=debug --security-opt seccomp=foo.json -q -t alpine-bud-crun -
unknown seccomp syscall `unknown1` ignored    <<<<< YAY WARNING THIS IS EXPECTED
6297b2e198485f73776937ad4a5a563e785cee6f68eb5727e30da887f3bd7272
$ !!
2ca992d96f40d964648d3f6c7e49d00a9f572a63a776769c8a4ee45e32931b42    <<<<< BOO SECCOMP WARNING DISAPPEARED!

That is: the first time, we get the "unknown seccomp" warning. Second time, no warning. podman image prune, rmi alpine-bud-crun, no difference. The only way to get the warning back is to change unknown1 to unknown2, 3, etc.

Tested crun 1.14.4-1 and 1.15-1 on f40.
@nalind
Copy link
Member

nalind commented May 29, 2024

This is a crun thing. Transferring the issue.

@nalind nalind transferred this issue from containers/buildah May 29, 2024
@giuseppe
Copy link
Member

this happens because crun has a cache for the seccomp profiles (/run/crun/.cache/seccomp). The seccomp profile is generated only the first time it is encountered while the second time, it is just read from the cache and it avoids any processing.

I think the best would be to use a fresh crun rundir for this container, so there is no risk of using an existing cache providing --root=$DIR to crun:

CRUN_TMP=...
printf "FROM alpine\nRUN echo hello\n" | bin/buildah build --runtime=crun --runtime-flag=debug --runtime-flag=--root=$CRUN_TMP --security-opt seccomp=foo.json -q -t alpine-bud-crun -

What do you think?

@edsantiago
Copy link
Member Author

Oh that's easy, thanks. I'll update my PR and will close this issue if it works.

@edsantiago
Copy link
Member Author

Worked perfectly. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@giuseppe @edsantiago @nalind