$ sudo rkt run --dns 8.8.8.8 --insecure-options image \
docker://alpine:edge \
--exec /bin/sh -- -c "apk update"
[174135.789209] alpine[5]: Bad system call
Most likely, this is due to:
$ sudo docker run -ti --rm alpine:edge /bin/sh -c "apk update"
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
v3.5.0-3581-g4f34754ccb [http://dl-cdn.alpinelinux.org/alpine/edge/main]
v3.5.0-3581-g4f34754ccb [http://dl-cdn.alpinelinux.org/alpine/edge/community]
OK: 8261 distinct packages available
**Environment**
rkt Version: 1.25.0 appc Version: 0.8.10 Go Version: go1.7.4 Go OS/Arch: linux/amd64 Features: -TPM +SDJOURNAL -- Linux 4.10.6-200.fc25.x86_64 x86_64 -- NAME=Fedora VERSION="25 (Twenty Five)" ID=fedora VERSION_ID=25 PRETTY_NAME="Fedora 25 (Twenty Five)" ANSI_COLOR="0;34" CPE_NAME="cpe:/o:fedoraproject:fedora:25" HOME_URL="https://fedoraproject.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=25 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=25 PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy -- systemd 231 +PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
I am a bit confused because /proc should be already provided to stage2 apps and because whitelisting mount results in a similar failure:
$ sudo rkt run --dns 8.8.8.8 --insecure-options image docker://alpine:edge --seccomp mode=retain,@rkt/default-whitelist,mount --exec /bin/sh -- -c "apk update"
[ 1009.029542] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
[ 1010.047881] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
[ 1010.287397] alpine[5]: v3.5.0-3602-g019e6343e3 [http://dl-cdn.alpinelinux.org/alpine/edge/main]
[ 1010.287755] alpine[5]: v3.5.0-3581-g4f34754ccb [http://dl-cdn.alpinelinux.org/alpine/edge/community]
[ 1010.287962] alpine[5]: OK: 8261 distinct packages available
[ 1010.294333] alpine[5]: Bad system call
I guess there is something more involved in here, and perhaps alpine detection logic is missing our case somehow.
@lucab, I used strace -f apk update 2>&1 | sed -n -e '/(/s/(.*$//p' | sort | uniq to get a list of the syscalls for Alpine 3.5 and Edge, and here's the diff:
> mkdir
17a19
> mount
32a35
> statfs
33a37
> umount2
So umount2 was missing too. Sure enough, including it fixes the problem:
$ sudo rkt run --dns 8.8.8.8 --insecure-options image \
docker://alpine:edge \
--seccomp mode=retain,@rkt/default-whitelist,mount,umount2 \
--exec /bin/sh -- -c "apk update"
[260851.708160] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
...
The detection logic is definitely missing rkt's case somehow (though presumably not Docker's).
@tjdett thanks for the followup! Mind reporting this to apk upstream to get the detection logic improved?
@lucab Bug logged with Alpine:
https://bugs.alpinelinux.org/issues/7162
The upstream bug has now been fixed/closed (via commit).
Presumably the next alpine release should fix this!
Most helpful comment
@lucab Bug logged with Alpine:
https://bugs.alpinelinux.org/issues/7162