Re: [PATCH v3 1/3] glibc: Upgrade to 2.35 (RFC)

Anuj Mittal

On Wed, 2022-02-16 at 10:22 +0100, Martin Jansa wrote:
Ubuntu patched their package shortly after upgrading to
glibc-2.34 in Ubuntu-21.10, see: (20.10.7-0ubuntu4) impish; urgency=medium

  * d/p/seccomp-add-support-for-clone3-syscall-in-default-
policy.patch: Fix
    failure with new glibc clone3 syscall adding it to the default
    policy (LP: #1943049).

 -- Lucas Kanashiro <kanashiro@...>  Fri, 10 Sep 2021 15:34:38

AFAIK Ubuntu isn't affected anymore, I've
updated and
I'm fine with dropping the patch now (it was useful before, but now
distributions had enough time to prepare for 2.34 changes).
In case the uninative upgrade is merged in stable/LTS branches, it
might start showing up failures for people building on older
distributions that aren't being updated any more.



On Wed, Feb 16, 2022 at 9:31 AM hongxu <hongxu.jia@...>
From upstream docker github [1]
The issue was found in 20.10.7, the the fix was merged
in v20.10.10-rc1 [2]
From docker release notes, it was published in version 20.10.10 at

In ubuntu 20.04.2, the docker version is 20.10.7 (20.10.7-
0ubuntu1~20.04.2) [4],

From [5], Ubuntu 21.10 and Fedora 35 has the issue


seccomp filter breaks latest glibc (in fedora rawhide) by blocking
clone3 with EPERM · Issue #42680 · moby/moby · GitHub
Client: Version: 20.10.7 API version: 1.41 Go version: go1.16.6 Git
commit: f0df350 Built: Mon Jul 26 16:34:29 2021 OS/Arch:
linux/amd64 Context: default Experimental ...


[20.10] update containerd binary to v1.4.10 · moby/moby@6835d15
- Update runc to v1.0.2 - Update hcsshim to v0.8.21 - Support
&quot;clone3&quot; in default seccomp profile - Fix panic in
metadata content writer on copy error Signed-off-by: Sebastiaan van

Docker Engine release notes - Docker Documentation
Docker Engine release notes. This document describes the latest
changes, additions, known issues, and fixes for Docker Engine.
Note: The client and container runtime are now in separate packages
from the daemon in Docker Engine 18.09. Users should install and
update all three packages at the same time to get the latest patch

Bug #1948361 “ - error adding seccomp filter rule for s...
: Bugs : package : Ubuntu
Encountered the following error using the package in
focal-proposed running the autotest-client-
test/ubuntu_performance_deep_learning test. "docker: Error response
from daemon: failed to create shim: OCI runtime create failed:
container_linux.go:380: starting container process caused: error
adding seccomp filter rule for syscall clone3: permission denied:
unknown." This test essentially pulls down a nvidia tensorflow
docker container, runs the container and triggers the preloaded ...

Ubuntu 21.10 and Fedora 35 in Docker – Pascal Roeleven
Here I am, back again with another post which I think the internet
needs. It took me days to figure it out and I can’t imagine there
aren’t more people who are running into the same issue.

From: Khem Raj <raj.khem@...>
Sent: Wednesday, February 16, 2022 12:08 PM
To: Jia, Hongxu <Hongxu.Jia@...>
Cc: Richard Purdie <richard.purdie@...>;
Subject: Re: [OE-core] [PATCH v3 1/3] glibc: Upgrade to 2.35 (RFC) 
[Please note: This e-mail is from an EXTERNAL e-mail address]

On Tue, Feb 15, 2022 at 6:28 PM Jia, Hongxu
<Hongxu.Jia@...> wrote:
Hi khem,

Upstream glibc reject it because the latest docker has supported
it[1], and upstream glibc does not backward compatibility with
old docker[2]

In order to build Yocto with uninative in old docker, we need
this local patch
How old is the docker and I assume
It’s some distribution needing it ? 


seccomp: add support for "clone3" syscall in default policy ·
If no seccomp policy is requested, then the built-in default
policy in dockerd applies. This has no rule for
&quot;clone3&quot; defined, nor any default errno defined. So
when runc receives the con...


From: Khem Raj <raj.khem@...>
Sent: Wednesday, February 16, 2022 12:17 AM
To: Jia, Hongxu <Hongxu.Jia@...>
Cc: openembedded-core@...
<openembedded-core@...>; Richard Purdie
Subject: Re: [OE-core] [PATCH v3 1/3] glibc: Upgrade to 2.35
[Please note: This e-mail is from an EXTERNAL e-mail address]

On Tue, Feb 15, 2022 at 12:25 AM Jia, Hongxu
<Hongxu.Jia@...> wrote:

On 2/9/22 06:53, Khem Raj wrote:

diff --git a/meta/recipes-core/glibc/glibc/0001-fix-create-
thread-failed-in-unprivileged-process-BZ-.patch b/meta/recipes-
deleted file mode 100644
index 3283dd7ad8a..00000000000
--- a/meta/recipes-core/glibc/glibc/0001-fix-create-thread-
+++ /dev/null
@@ -1,79 +0,0 @@
-From a8bc44936202692edcd82a48c07d7cf27d6ed8ee Mon Sep 17
00:00:00 2001
-From: Hongxu Jia <hongxu.jia@...>
-Date: Sun, 29 Aug 2021 20:49:16 +0800
-Subject: [PATCH] fix create thread failed in unprivileged
process [BZ #28287]
-Since commit [d8ea0d0168 Add an internal wrapper for clone,
clone2 and clone3]
-applied, start a unprivileged container (docker run without --
-it creates a thread failed in container.
-In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER
is defined.  If
-__clone3 returns -1 with ENOSYS, fall back to clone or clone2.
-As known from [1], cloneXXX fails with EPERM if
-was specified by an unprivileged process (process without
-So if __clone3 returns -1 with EPERM, fall back to clone or
clone2 could
-fix the issue. Here are the test steps:

Hi RP,

I found this local patch was removed from glibc, we have to get
it back and regenerate uninative to avoid the thread creation
failure in  unprivileged container
I intentionally dropped it since upstream glibc will not accept
patch since its not glibc problem but
rather container runtime problem. Can you investigate that path
we reapply it. Maintaining a rejected patch is last thing we want


Join { to automatically receive all group messages.