Univention Bugzilla – Bug 57093
Default docker seccomp rules are not sufficient for images that use glibc >=2.34
Last modified: 2024-02-28 11:39:01 CET
+++ This bug was initially created as a clone of Bug #55360 +++ In Bug #55360 we added the syscalls clone3 and facaccesstat2 to /etc/docker/seccomp-systemd.json, so that docker images using glibc >=2.34 can be started when using this seccomp profile. This seccomp profile is given to (single-container) apps by the appcenter. Every multi-container app still needs to specify the seccomp profile manually to work. On docker build, the default (not sufficient) seccomp rules are used and building docker images fails. We could define our /etc/docker/seccomp-systemd.json as the default seccomp profile in the docker daemon, then we wouldn't get any issues about that. If someone experiences weird problems using "newer" containers on 5.0, doing this helps to mitigate these issues: ucr set docker/daemon/default/json='{"seccomp-profile": "/etc/docker/seccomp-systemd.json"}' systemctl restart docker.service