Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Podman v3.2.0 does not load internal seccomp profile any more #10556

Closed
saschagrunert opened this issue Jun 4, 2021 · 6 comments · Fixed by containers/common#604
Closed

Podman v3.2.0 does not load internal seccomp profile any more #10556

saschagrunert opened this issue Jun 4, 2021 · 6 comments · Fixed by containers/common#604
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@saschagrunert
Copy link
Member

saschagrunert commented Jun 4, 2021
edited
Loading

/kind bug

Description

Podman v3.1.2 did load the internal seccomp profile (struct) if the seccomp.json was not present on disk. This behavior has changed in v3.2.0.

Steps to reproduce the issue:

On a system where /usr/share/containers/seccomp.json is not available:

> podman run -it alpine:latest echo
Error: opening seccomp profile failed: open /usr/share/containers/seccomp.json: no such file or directory

Describe the results you expected:

With Podman v3.1.2:

> podman run --log-level=debug -it alpine:latest echo 2>&1 | rg "default seccomp"
time="2021-06-04T09:43:26+02:00" level=debug msg="Loading default seccomp profile"

Additional information you deem important (e.g. issue happens only occasionally):

/etc/containers/containers.conf has no seccomp profile specified.

Output of podman version:

Version:      3.2.0
API Version:  3.2.0
Go Version:   go1.16.4
Git Commit:   0281ef262dd0ffae28b5fa5e4bdf545f93c08dc7
Built:        Tue Jan  1 01:00:00 1980
OS/Arch:      linux/amd64
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 4, 2021
@saschagrunert saschagrunert mentioned this issue Jun 4, 2021
Merged
9 tasks
@Luap99
Copy link
Member

Luap99 commented Jun 4, 2021

bad commit 18cb17f
I think we have to leave the default seccomp path empty in c/common. https://github.com/containers/common/blob/86254d6d63e08f14a8c4d66a6ca40089bec8a01e/pkg/config/default.go#L201

Luap99 added a commit to Luap99/common that referenced this issue Jun 4, 2021
@Luap99
Leave default seccomp path empty
6076a27 
The default path should be empty in order for podman to distinguish
between a path the was explicity or to use the default (in memory)
profile.

Fixes: containers/podman#10556

Signed-off-by: Paul Holzinger <[email protected]>
@Luap99 Luap99 mentioned this issue Jun 4, 2021
Merged
@Luap99
Copy link
Member

Luap99 commented Jun 4, 2021

containers/common#604 to fix

@mheon
Copy link
Member

mheon commented Jun 4, 2021

Any way we can test this in CI? I imagine the VMs probably have a seccomp.json because we're using the standard packaged configs on them - maybe we can remove it for one of the tests?

Regardless, this sounds like a good reason to spin up a quick 3.2.1 early next week.

@vrothberg vrothberg reopened this Jun 4, 2021
@vrothberg
Copy link
Member

Reopened as it's not yet in Podman. Also need to create backports here and in c/common.

@srbala srbala mentioned this issue Jun 4, 2021
Merged
mgoltzsche added a commit to mgoltzsche/podman-static that referenced this issue Jun 4, 2021
@mgoltzsche
add default seccomp.json to tar.
a8b41ff 
Applying the image fix of #9 to the tar release as well in order to work around containers/podman#10556.
@srbala
Copy link

srbala commented Jun 4, 2021

Using following temp work around until this issue being resolved.

mkdir -p /usr/share/containers; \	
wget -O /usr/share/containers/seccomp.json https://src.fedoraproject.org/rpms/containers-common/raw/rawhide/f/seccomp.json ;

vrothberg pushed a commit to vrothberg/common that referenced this issue Jun 8, 2021
@Luap99 @vrothberg
[0.38] Leave default seccomp path empty
4397009 
The default path should be empty in order for podman to distinguish
between a path the was explicitly or to use the default (in memory)
profile.

Fixes: containers/podman#10556

Signed-off-by: Paul Holzinger <[email protected]>
Backported-by: Valentin Rothberg <[email protected]>
@vrothberg vrothberg mentioned this issue Jun 8, 2021
Merged
@vrothberg
Copy link
Member

containers/common#608 for the c/common backports

vrothberg added a commit to vrothberg/libpod that referenced this issue Jun 9, 2021
@vrothberg
[v3.2] vendor containers/[email protected]
78430ee 
Fixes the seccomp-profile regression in v3.2

Fixes: containers#10556
Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg vrothberg mentioned this issue Jun 9, 2021
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Leave default seccomp path empty Luap99/common
5 participants
@saschagrunert @srbala @mheon @vrothberg @Luap99