Bug 55360 – Docker images that use glibc >=2.34 (e.g. debian bookworm based) don't function in UCS | docker seccomp rules are not sufficient

Bug 55360 - Docker images that use glibc >=2.34 (e.g. debian bookworm based) don't function in UCS | docker seccomp rules are not sufficient


Summary:	Docker images that use glibc >=2.34 (e.g. debian bookworm based) don't functi...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Docker
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-3-errata
Assigned To:	Julia Bremer
QA Contact:	Felix Botner

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:	57093 56649
	Show dependency tree / graph

Reported:	2022-10-28 10:56 CEST by Julia Bremer
Modified:	2024-02-28 11:39 CET (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:	Yes
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julia Bremer

2022-10-28 10:56:28 CEST

When trying to start a ubuntu jammy (debian bookworm based) docker image on UCS, 
strange things start to happen. Various segfaults and GPG errors during apt-get update etc. Most programs cannot run in this container. Many programs segfault. 
All docker images that use this glibc version will not work under UCS 5 (or UCS 4 for that matter)

The reason is that glibc >=2.34 uses a few "new" syscalls.
At least the syscalls clone3 and faccessat2 are not allowed by either default docker seccomp rules in our docker version (19.03.8-0ubuntu1.20.04.1A~5.0.0.202103251227) or by the custom seccomp profile our appcenter uses (/etc/docker/seccomp-systemd.json). 


To fix this, we need to adjust the rules in /etc/docker/seccomp-systemd.json to allow at least clone3 and faccessat2.
But there may be more syscalls that need to be added. 

But even that is not completely sufficient. 
Our libseccomp2 version (2.3.3-4) doesn't "know" these syscalls yet. Adding rules to the seccomp profile does nothing. 
These syscalls have been added in libseccomp2 version 2.5 which can be installed from buster-backports.
https://packages.debian.org/buster-backports/amd64/libseccomp2/download


TL;DR
To fix this in UCS 5.0 we would need to backport the libseccomp2 version and adjust our /etc/docker/seccomp-systemd.json.

If we decide to wait for UCS 5.1, we still need to adjust our own seccomp rules in /etc/docker/seccomp-systemd.json.

Comment 1 Julia Bremer

2023-03-24 14:01:29 CET

Happens with keycloak version 21.0.2. 

[0.044s][warning][os,thread] Failed to start thread "VM Thread" - pthread_create failed (EPERM) for attributes: stacksize: 1024k, guardsize: 4k, detached.
Error occurred during initialization of VM
Cannot create VM thread. Out of system resources.


After installing the buster backport version of libseccomp2 and adding the syscalls clone3, rseq and faccessat2 to the seccomp rules the container works.

Comment 2 Julia Bremer

2023-03-24 14:14:51 CET

This inhibits us from using the latest keycloak versions in UCS 5.0, including al the new security fixes from upstream.
Therefore I mark this bug as a security issue.

Comment 3 Daniel Tröder

2023-03-24 15:44:52 CET

On a side note: the same happens with 3.14+ Alpine Linux Docker images. The solution is similar.

Typical output in such a scenario:

make: /bin/sh: Operation not permitted

Description of problem and fix:
https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2

Comment 4 Daniel Tröder

2023-03-24 17:20:07 CET

(In reply to Daniel Tröder from comment #3)
> On a side note: the same happens with 3.14+ Alpine Linux Docker images.
Because of this we cannot update the "ucsschool-api" app to a newer Python version, as that'd require us to update the Alpine base image.
We plan to replace the Alpine image with a Debian base image.
Then we'll land in this bug.

Comment 6 Julia Bremer

2023-03-28 19:56:13 CEST

010a69486d fixup! Bug #55360: Import buster-backport version of libseccomp
07380bc0e0 Bug #55360: Import buster-backport version of libseccomp

Imported libseccomp from buster backports
Successful build
Package: libseccomp
Version: 2.5.1-1~bpo10+1A~5.0.0.202303281914
Branch: ucs_5.0-0
Scope: errata5.0-3

I added a MR that adjusts the appcenters custom seccomp rules.
WARNING: They are only applied to single container apps.
Compose apps need to add

security_opt:
  - seccomp:/etc/docker/seccomp-systemd.json

to the compose file to allow clone3 and faccessat2 to their seccomp rules.

Comment 7 Daniel Tröder

2023-03-29 08:56:34 CEST

Nice.
Does this also work for 3.14+ Alpine Linux Docker images?

Comment 8 Julia Bremer

2023-03-29 18:27:06 CEST

8173c6a139 (HEAD -> 5.0-3, origin/5.0-3) Bug #55360: update yaml
cb1f5f4360 (origin/jbremer/55360_seccomp_rules, jbremer/55360_seccomp_rules) Bug #55360: changelog and yaml
a169fecddc Bug #55360: Add clone3 and faccesstat2 as default to the appcenter seccomp rules
010a69486d fixup! Bug #55360: Import buster-backport version of libseccomp
07380bc0e0 Bug #55360: Import buster-backport version of libseccomp

Successful build
Package: univention-docker
Version: 5.0.4-2A~5.0.0.202303291821
Branch: ucs_5.0-0
Scope: errata5.0-3

Successful build
Package: libseccomp
Version: 2.5.1-1~bpo10+1A~5.0.0.202303281914
Branch: ucs_5.0-0
Scope: errata5.0-3

Comment 10 Felix Botner

2023-03-29 21:15:23 CEST

OK - libseccomp.yaml
OK - univention-docker.yaml

quay.io/keycloak/keycloak:21.0.1 can be started.

Comment 14 Philipp Hahn

2023-04-05 15:23:53 CEST

<https://errata.software-univention.de/#/?erratum=5.0x637>
<https://errata.software-univention.de/#/?erratum=5.0x638>