Testing as-is (remember to clean old images if you have tested the ppa on the same system before) $ docker system prune -a
... Test steps ... Step 8/8 : RUN ./test-statx test-file ---> Running in 60210feb0c2e test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 Fails as expected Upgrading to libseccomp2 from proposed $ sudo apt install libseccomp2/bionic-proposed Reading package lists... Done Building dependency tree Reading state information... Done Selected version '2.3.1-2.1ubuntu4.1' (Ubuntu:18.04/bionic-proposed [amd64]) for 'libseccomp2' The following package was automatically installed and is no longer required: grub-pc-bin Use 'sudo apt autoremove' to remove it. The following additional packages will be installed: libseccomp-dev The following packages will be upgraded: libseccomp-dev libseccomp2 2 upgraded, 0 newly installed, 0 to remove and 26 not upgraded. Need to get 96.9 kB of archives. After this operation, 15.4 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libseccomp-dev amd64 2.3.1-2.1ubuntu4.1 [57.8 kB] Get:2 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libseccomp2 amd64 2.3.1-2.1ubuntu4.1 [39.1 kB] Fetched 96.9 kB in 0s (755 kB/s) (Reading database ... 102759 files and directories currently installed.) Preparing to unpack .../libseccomp-dev_2.3.1-2.1ubuntu4.1_amd64.deb ... Unpacking libseccomp-dev:amd64 (2.3.1-2.1ubuntu4.1) over (2.3.1-2.1ubuntu4) ... Preparing to unpack .../libseccomp2_2.3.1-2.1ubuntu4.1_amd64.deb ... Unpacking libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) over (2.3.1-2.1ubuntu4) ... Setting up libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) ... Setting up libseccomp-dev:amd64 (2.3.1-2.1ubuntu4.1) ... Processing triggers for libc-bin (2.27-3ubuntu1) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Retest the case: Step 8/8 : RUN ./test-statx test-file ---> Running in 3b7450662773 statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096 regular file Device: 00:31 Inode: 261790 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-28 09:38:56.000000000+0000 Modify: 2019-02-28 09:38:56.000000000+0000 Change: 2019-02-28 09:38:56.266396084+0000 Birth: 2019-02-28 09:38:56.266396084+0000 Attributes: 0000000000000000 (........ ........ ........ ........ ........ ........ ....-... .---.-..) Removing intermediate container 3b7450662773 ---> c381bca61860 Successfully built c381bca61860 Thereby setting verified ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096 regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.000000000+0000 Modify: 2019-02-08 07:57:42.000000000+0000 Change: 2019-02-08 07:57:43.076507007+0000 Birth: 2019-02-08 07:57:43.076507007+0000 Attributes: 0000000000000000 (........ ........ ........ ........ ........ ........ ....-... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
