Bugzilla – Bug 1152773
seccomp error if running containers with podman on armv7
Last modified: 2021-05-03 16:37:38 UTC
Calling "podman run --rm -it registry.opensuse.org/opensuse/busybox" on a Raspberry Pi2 stops with the following error: Error: container_linux.go:345: starting container process caused "error loading seccomp filter into kernel: invalid argument": OCI runtime error
armv7 has no seccomp filter since HAVE_ARCH_SECCOMP_FILTER is not selected by armv7. Only arm64 selects HAVE_ARCH_SECCOMP_FILTER. In 2012 some patches were sent to add this support to armv7, but never ended in the kernel: http://lkml.iu.edu/hypermail/linux/kernel/1210.3/03963.html
*** Bug 1174170 has been marked as a duplicate of this bug. ***
(In reply to Guillaume GARDET from comment #1) > armv7 has no seccomp filter since HAVE_ARCH_SECCOMP_FILTER is not selected > by armv7. Only arm64 selects HAVE_ARCH_SECCOMP_FILTER. > > In 2012 some patches were sent to add this support to armv7, but never ended > in the kernel: > http://lkml.iu.edu/hypermail/linux/kernel/1210.3/03963.html CONFIG_HAVE_ARCH_SECCOMP_FILTER is enabled since https://github.com/openSUSE/kernel-source/commit/e9e55d07c18023edb983e14bacdc2ff2542671c7 So, it should be fine now, but it is still broken.
(In reply to Guillaume GARDET from comment #3) > (In reply to Guillaume GARDET from comment #1) > > armv7 has no seccomp filter since HAVE_ARCH_SECCOMP_FILTER is not selected > > by armv7. Only arm64 selects HAVE_ARCH_SECCOMP_FILTER. > > > > In 2012 some patches were sent to add this support to armv7, but never ended > > in the kernel: > > http://lkml.iu.edu/hypermail/linux/kernel/1210.3/03963.html > > CONFIG_HAVE_ARCH_SECCOMP_FILTER is enabled since > https://github.com/openSUSE/kernel-source/commit/ > e9e55d07c18023edb983e14bacdc2ff2542671c7 > > So, it should be fine now, but it is still broken. It might work using kernel-default meanwhile, but kernel-lpae (and kernel-obs-build, same binary) are missing: CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y Reassigning to kernel.
SECCOMP_FILTER is available only when CONFIG_OABI_COMPAT=n. It's explicitly limited via commit 9170217510cd280c704966738e7c1660c8fa5cbd ARM: 7888/1: seccomp: not compatible with ARM OABI And kernel-lpae defines this, so CONFIG_SECCOMP_FILTER isn't available there.
(In reply to Takashi Iwai from comment #5) > SECCOMP_FILTER is available only when CONFIG_OABI_COMPAT=n. It's explicitly > limited via commit 9170217510cd280c704966738e7c1660c8fa5cbd > ARM: 7888/1: seccomp: not compatible with ARM OABI > > And kernel-lpae defines this, so CONFIG_SECCOMP_FILTER isn't available there. Sounds like that should be changed. For default it was part of your commit: Update config files: disable CONFIG_OABI_COMPAT for 32bit Arm (bsc#1165462) That didn't touch lpae though, it's out of sync. I don't think much of the diff between default and lpae is intentional, maybe it should be rebased on default again.
A good point, it must be an oversight, then. I'm going to push the correction.
The fix got merged to master and stable branches.