Re: [PATCH v3 1/3] glibc: Upgrade to 2.35 (RFC)

Home Messages Hashtags Subgroups

#161792

Re: [PATCH v3 1/3] glibc: Upgrade to 2.35 (RFC)

Anuj Mittal #161792 On Wed, 2022-02-16 at 10:22 +0100, Martin Jansa wrote: Ubuntu patched their docker.io package shortly after upgrading to glibc-2.34 in Ubuntu-21.10, see: http://changelogs.ubuntu.com/changelogs/pool/universe/d/docker.io/docker.io_20.10.7-0ubuntu5~20.04.2/changelog docker.io (20.10.7-0ubuntu4) impish; urgency=medium * d/p/seccomp-add-support-for-clone3-syscall-in-default- policy.patch: Fix failure with new glibc clone3 syscall adding it to the default seccomp policy (LP: #1943049). -- Lucas Kanashiro <kanashiro@...> Fri, 10 Sep 2021 15:34:38 -0300 AFAIK Ubuntu isn't affected anymore, I've updated https://bugzilla.yoctoproject.org/show_bug.cgi?id=1711 and I'm fine with dropping the patch now (it was useful before, but now distributions had enough time to prepare for 2.34 changes). In case the uninative upgrade is merged in stable/LTS branches, it might start showing up failures for people building on older distributions that aren't being updated any more. Thanks, Anuj On Wed, Feb 16, 2022 at 9:31 AM hongxu <hongxu.jia@...> wrote: From upstream docker github [1] The issue was found in 20.10.7, the the fix was merged in v20.10.10-rc1 [2] From docker release notes, it was published in version 20.10.10 at 2021-10-25[3] In ubuntu 20.04.2, the docker version is 20.10.7 (20.10.7- 0ubuntu1~20.04.2) [4], From [5], Ubuntu 21.10 and Fedora 35 has the issue [1] https://github.com/moby/moby/issues/42680 seccomp filter breaks latest glibc (in fedora rawhide) by blocking clone3 with EPERM · Issue #42680 · moby/moby · GitHub Client: Version: 20.10.7 API version: 1.41 Go version: go1.16.6 Git commit: f0df350 Built: Mon Jul 26 16:34:29 2021 OS/Arch: linux/amd64 Context: default Experimental ... github.com  [2] https://github.com/moby/moby/commit/6835d15f5523063f0a04a86d4810a63 7c6010d62 [20.10] update containerd binary to v1.4.10 · moby/moby@6835d15 - Update runc to v1.0.2 - Update hcsshim to v0.8.21 - Support "clone3" in default seccomp profile - Fix panic in metadata content writer on copy error Signed-off-by: Sebastiaan van Stijn... github.com  [3] https://docs.docker.com/engine/release-notes/#201010 Docker Engine release notes - Docker Documentation Docker Engine release notes. This document describes the latest changes, additions, known issues, and fixes for Docker Engine. Note: The client and container runtime are now in separate packages from the daemon in Docker Engine 18.09. Users should install and update all three packages at the same time to get the latest patch releases. docs.docker.com [4] https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1948361 Bug #1948361 “docker.io - error adding seccomp filter rule for s... : Bugs : docker.io package : Ubuntu Encountered the following error using the docker.io package in focal-proposed running the autotest-client- test/ubuntu_performance_deep_learning test. "docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall clone3: permission denied: unknown." This test essentially pulls down a nvidia tensorflow docker container, runs the container and triggers the preloaded ... bugs.launchpad.net  [5] https://pascalroeleven.nl/2021/09/09/ubuntu-21-10-and-fedora-35-in- docker/ Ubuntu 21.10 and Fedora 35 in Docker – Pascal Roeleven Here I am, back again with another post which I think the internet needs. It took me days to figure it out and I can’t imagine there aren’t more people who are running into the same issue. pascalroeleven.nl //Hongxu From: Khem Raj <raj.khem@...> Sent: Wednesday, February 16, 2022 12:08 PM To: Jia, Hongxu <Hongxu.Jia@...> Cc: Richard Purdie <richard.purdie@...>; openembedded-core@... <openembedded-core@...> Subject: Re: [OE-core] [PATCH v3 1/3] glibc: Upgrade to 2.35 (RFC) [Please note: This e-mail is from an EXTERNAL e-mail address] On Tue, Feb 15, 2022 at 6:28 PM Jia, Hongxu <Hongxu.Jia@...> wrote: Hi khem, Upstream glibc reject it because the latest docker has supported it[1], and upstream glibc does not backward compatibility with old docker[2] In order to build Yocto with uninative in old docker, we need this local patch How old is the docker and I assume It’s some distribution needing it ? [1] https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6 477790a6594 seccomp: add support for "clone3" syscall in default policy · moby/moby@9f6b562 If no seccomp policy is requested, then the built-in default policy in dockerd applies. This has no rule for "clone3" defined, nor any default errno defined. So when runc receives the con... github.com  [2] https://sourceware.org/pipermail/libc-alpha/2021-August/130590.ht ml //Hongxu From: Khem Raj <raj.khem@...> Sent: Wednesday, February 16, 2022 12:17 AM To: Jia, Hongxu <Hongxu.Jia@...> Cc: openembedded-core@... <openembedded-core@...>; Richard Purdie <richard.purdie@...> Subject: Re: [OE-core] [PATCH v3 1/3] glibc: Upgrade to 2.35 (RFC) [Please note: This e-mail is from an EXTERNAL e-mail address] On Tue, Feb 15, 2022 at 12:25 AM Jia, Hongxu <Hongxu.Jia@...> wrote: On 2/9/22 06:53, Khem Raj wrote: diff --git a/meta/recipes-core/glibc/glibc/0001-fix-create- thread-failed-in-unprivileged-process-BZ-.patch b/meta/recipes- core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged- process-BZ-.patch deleted file mode 100644 index 3283dd7ad8a..00000000000 --- a/meta/recipes-core/glibc/glibc/0001-fix-create-thread- failed-in-unprivileged-process-BZ-.patch +++ /dev/null @@ -1,79 +0,0 @@ -From a8bc44936202692edcd82a48c07d7cf27d6ed8ee Mon Sep 17 00:00:00 2001 -From: Hongxu Jia <hongxu.jia@...> -Date: Sun, 29 Aug 2021 20:49:16 +0800 -Subject: [PATCH] fix create thread failed in unprivileged process [BZ #28287] - -Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 and clone3] -applied, start a unprivileged container (docker run without -- privileged), -it creates a thread failed in container. - -In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is defined. If -__clone3 returns -1 with ENOSYS, fall back to clone or clone2. - -As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP, -CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS -was specified by an unprivileged process (process without CAP_SYS_ADMIN) - -[1] https://man7.org/linux/man-pages/man2/clone3.2.html - -So if __clone3 returns -1 with EPERM, fall back to clone or clone2 could -fix the issue. Here are the test steps: - Hi RP, I found this local patch was removed from glibc, we have to get it back and regenerate uninative to avoid the thread creation failure in unprivileged container I intentionally dropped it since upstream glibc will not accept this patch since its not glibc problem but rather container runtime problem. Can you investigate that path before we reapply it. Maintaining a rejected patch is last thing we want to do. //Hongxu
More All Messages By This Member

View All 13 Messages In Topic

#161792

Join {openembedded-core@lists.openembedded.org to automatically receive all group messages.

Home Hashtags Subgroups Terms