Rkt: `apk update` conflicts with seccomp for alpine:edge

Created on 12 Apr 2017  路  5Comments  路  Source: rkt/rkt

$ sudo rkt run --dns 8.8.8.8 --insecure-options image \
    docker://alpine:edge \
    --exec /bin/sh -- -c "apk update"                                                                                                                  
[174135.789209] alpine[5]: Bad system call
Most likely, this is due to: While likely an Alpine Linux issue, users will probably perceive it as "rkt is broken for Alpine" because it works in Docker 1.12.6:
$ sudo docker run -ti --rm alpine:edge /bin/sh -c "apk update"
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
v3.5.0-3581-g4f34754ccb [http://dl-cdn.alpinelinux.org/alpine/edge/main]
v3.5.0-3581-g4f34754ccb [http://dl-cdn.alpinelinux.org/alpine/edge/community]
OK: 8261 distinct packages available
**Environment**
rkt Version: 1.25.0
appc Version: 0.8.10
Go Version: go1.7.4
Go OS/Arch: linux/amd64
Features: -TPM +SDJOURNAL
--
Linux 4.10.6-200.fc25.x86_64 x86_64
--
NAME=Fedora
VERSION="25 (Twenty Five)"
ID=fedora
VERSION_ID=25
PRETTY_NAME="Fedora 25 (Twenty Five)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:25"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=25
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=25
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
--
systemd 231
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN

Most helpful comment

@lucab Bug logged with Alpine:
https://bugs.alpinelinux.org/issues/7162

All 5 comments

I am a bit confused because /proc should be already provided to stage2 apps and because whitelisting mount results in a similar failure:

$ sudo rkt run --dns 8.8.8.8 --insecure-options image     docker://alpine:edge --seccomp mode=retain,@rkt/default-whitelist,mount    --exec /bin/sh -- -c "apk update" 
[ 1009.029542] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
[ 1010.047881] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
[ 1010.287397] alpine[5]: v3.5.0-3602-g019e6343e3 [http://dl-cdn.alpinelinux.org/alpine/edge/main]
[ 1010.287755] alpine[5]: v3.5.0-3581-g4f34754ccb [http://dl-cdn.alpinelinux.org/alpine/edge/community]
[ 1010.287962] alpine[5]: OK: 8261 distinct packages available
[ 1010.294333] alpine[5]: Bad system call

I guess there is something more involved in here, and perhaps alpine detection logic is missing our case somehow.

@lucab, I used strace -f apk update 2>&1 | sed -n -e '/(/s/(.*$//p' | sort | uniq to get a list of the syscalls for Alpine 3.5 and Edge, and here's the diff:

> mkdir
17a19
> mount
32a35
> statfs
33a37
> umount2

So umount2 was missing too. Sure enough, including it fixes the problem:

$ sudo rkt run --dns 8.8.8.8 --insecure-options image \
    docker://alpine:edge \
    --seccomp mode=retain,@rkt/default-whitelist,mount,umount2 \
    --exec /bin/sh -- -c "apk update"  
[260851.708160] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
...

The detection logic is definitely missing rkt's case somehow (though presumably not Docker's).

@tjdett thanks for the followup! Mind reporting this to apk upstream to get the detection logic improved?

@lucab Bug logged with Alpine:
https://bugs.alpinelinux.org/issues/7162

The upstream bug has now been fixed/closed (via commit).

Presumably the next alpine release should fix this!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

alban picture alban  路  3Comments

s-urbaniak picture s-urbaniak  路  4Comments

moredhel picture moredhel  路  6Comments

kallisti5 picture kallisti5  路  6Comments

techtonik picture techtonik  路  3Comments