Your message dated Fri, 15 Apr 2022 17:19:36 -0400
with message-id
<caj0cceaqg0sz5eaibpcjyj0up6qqoumogty9t7km6rs8tyx...@mail.gmail.com>
and subject line Stable update should fix this as well
has caused the Debian Bug report #1005258,
regarding podman: current podman version does not pass seccomp options to
buildah
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1005258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005258
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: podman
Version: 3.0.1+dfsg1-3+b2
Severity: important
X-Debbugs-Cc: lbckmnn+...@mailbox.org
Dear Maintainer,
the current version of podman in bullseye has two problems:
1) the seccomp policy is missing the CLONE3 syscall (this is already addressed
in #995777).
2) seccomp options (e.g. --security-opt seccomp=unconfined) seems not be passed
to buildha.
The first problem can be bypassed by placing a seccomp.json which allows CLONE3
in /etc/containers/seccomp.json
The second problem makes it impossible to build containers using CLONE3
syscalls.
Minimal example:
Containerfile:
FROM quay.io/podman/stable
RUN dnf update
running "podman build ." fails because dnf update uses a CLONE3 syscall.
The problem is, running "podman build --security-opt seccomp=unconfined ." does
also fails, even though seccomp should be disabled.
building the image directly with buildah succeeds:
"buildah bud --security-opt seccomp=unconfined -t podman-test ."
Placing a seccomp.json which allows CLONE3 in /etc/containers/seccomp.json gets
also not respected by podman build.
See https://github.com/containers/buildah/issues/3776 for further information
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-11-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages podman depends on:
ii conmon 2.0.25+ds1-1.1
ii containernetworking-plugins 0.9.0-1+b6
ii crun 0.17+dfsg-1
ii golang-github-containers-common 0.33.4+ds1-1
ii init-system-helpers 1.60
ii iptables 1.8.7-1
ii libc6 2.31-13+deb11u2
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgpgme11 1.14.0-1+b2
ii libseccomp2 2.5.1-1+deb11u1
Versions of packages podman recommends:
ii buildah 1.19.6+dfsg1-1+b6
ii catatonit 0.1.5-2
ii fuse-overlayfs 1.4.0-1
ii golang-github-containernetworking-plugin-dnsname 1.1.1+ds1-4+b7
ii slirp4netns 1.0.1-2
ii uidmap 1:4.8.1-1
Versions of packages podman suggests:
pn containers-storage <none>
pn docker-compose <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 3.0.1+dfsg1-3+b2
To the best of my understanding, the changes made for fixing #995777 also
address the concerns raised in this bug.
Please follow up with clarifications and further questions as necessary.
--
regards,
Reinhard
--- End Message ---
_______________________________________________
Pkg-go-maintainers mailing list
Pkg-go-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-go-maintainers
