Univention Bugzilla – Bug 55360
Docker images that use glibc >=2.34 (e.g. debian bookworm based) don't function in UCS | docker seccomp rules are not sufficient
Last modified: 2024-02-28 11:39:01 CET
When trying to start a ubuntu jammy (debian bookworm based) docker image on UCS, strange things start to happen. Various segfaults and GPG errors during apt-get update etc. Most programs cannot run in this container. Many programs segfault. All docker images that use this glibc version will not work under UCS 5 (or UCS 4 for that matter) The reason is that glibc >=2.34 uses a few "new" syscalls. At least the syscalls clone3 and faccessat2 are not allowed by either default docker seccomp rules in our docker version (19.03.8-0ubuntu1.20.04.1A~5.0.0.202103251227) or by the custom seccomp profile our appcenter uses (/etc/docker/seccomp-systemd.json). To fix this, we need to adjust the rules in /etc/docker/seccomp-systemd.json to allow at least clone3 and faccessat2. But there may be more syscalls that need to be added. But even that is not completely sufficient. Our libseccomp2 version (2.3.3-4) doesn't "know" these syscalls yet. Adding rules to the seccomp profile does nothing. These syscalls have been added in libseccomp2 version 2.5 which can be installed from buster-backports. https://packages.debian.org/buster-backports/amd64/libseccomp2/download TL;DR To fix this in UCS 5.0 we would need to backport the libseccomp2 version and adjust our /etc/docker/seccomp-systemd.json. If we decide to wait for UCS 5.1, we still need to adjust our own seccomp rules in /etc/docker/seccomp-systemd.json.
Happens with keycloak version 21.0.2. [0.044s][warning][os,thread] Failed to start thread "VM Thread" - pthread_create failed (EPERM) for attributes: stacksize: 1024k, guardsize: 4k, detached. Error occurred during initialization of VM Cannot create VM thread. Out of system resources. After installing the buster backport version of libseccomp2 and adding the syscalls clone3, rseq and faccessat2 to the seccomp rules the container works.
This inhibits us from using the latest keycloak versions in UCS 5.0, including al the new security fixes from upstream. Therefore I mark this bug as a security issue.
On a side note: the same happens with 3.14+ Alpine Linux Docker images. The solution is similar. Typical output in such a scenario: make: /bin/sh: Operation not permitted Description of problem and fix: https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2
(In reply to Daniel Tröder from comment #3) > On a side note: the same happens with 3.14+ Alpine Linux Docker images. Because of this we cannot update the "ucsschool-api" app to a newer Python version, as that'd require us to update the Alpine base image. We plan to replace the Alpine image with a Debian base image. Then we'll land in this bug.
010a69486d fixup! Bug #55360: Import buster-backport version of libseccomp 07380bc0e0 Bug #55360: Import buster-backport version of libseccomp Imported libseccomp from buster backports Successful build Package: libseccomp Version: 2.5.1-1~bpo10+1A~5.0.0.202303281914 Branch: ucs_5.0-0 Scope: errata5.0-3 I added a MR that adjusts the appcenters custom seccomp rules. WARNING: They are only applied to single container apps. Compose apps need to add security_opt: - seccomp:/etc/docker/seccomp-systemd.json to the compose file to allow clone3 and faccessat2 to their seccomp rules.
Nice. Does this also work for 3.14+ Alpine Linux Docker images?
8173c6a139 (HEAD -> 5.0-3, origin/5.0-3) Bug #55360: update yaml cb1f5f4360 (origin/jbremer/55360_seccomp_rules, jbremer/55360_seccomp_rules) Bug #55360: changelog and yaml a169fecddc Bug #55360: Add clone3 and faccesstat2 as default to the appcenter seccomp rules 010a69486d fixup! Bug #55360: Import buster-backport version of libseccomp 07380bc0e0 Bug #55360: Import buster-backport version of libseccomp Successful build Package: univention-docker Version: 5.0.4-2A~5.0.0.202303291821 Branch: ucs_5.0-0 Scope: errata5.0-3 Successful build Package: libseccomp Version: 2.5.1-1~bpo10+1A~5.0.0.202303281914 Branch: ucs_5.0-0 Scope: errata5.0-3
OK - libseccomp.yaml OK - univention-docker.yaml quay.io/keycloak/keycloak:21.0.1 can be started.
<https://errata.software-univention.de/#/?erratum=5.0x637> <https://errata.software-univention.de/#/?erratum=5.0x638>