2

I am trying to use a custom seccomp profile with docker run command; however, I invoked with the following error-

$ sudo docker run --rm -it --security-opt seccomp=/home/temp/default.json ubuntu
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall clone3: permission denied: unknown.
$ docker -v
Docker version 20.10.8, build 3967b7d

What would be the possible cause for this issue?

Note that, I have modified the default seccomp profile file to enable the Linux perf tool (I have followed this post).

user3862410
  • 171
  • 1
  • 6
  • can you attach your file here, I will try to execute it on my end – Long Sep 15 '21 at 07:30
  • Please have it from here https://pastebin.com/YaqSz7va – user3862410 Sep 16 '21 at 08:25
  • Running well from my side, my version is `Docker version 20.10.7, build f0df350 ` – Long Sep 17 '21 at 05:41
  • Thanks for confirmation – user3862410 Sep 17 '21 at 19:38
  • I am seeing the exact same error with Docker 20.10.8, Ubuntu 18.04. I have worked around it by using a different seccomp configuration file - the one from [here](https://raw.githubusercontent.com/docker/labs/master/security/seccomp/seccomp-profiles/default.json) . Unfortunately, I cannot figure out exactly what is causing the issue with the first one... – Bogd Sep 30 '21 at 17:31
  • Getting the same issue with 20.10.7 – secavfr Nov 10 '21 at 22:50
  • I solved the same problem by removing `clone3` from the seccomp profile. – tom1299 Feb 12 '22 at 10:28

3 Answers3

1

install or update runc

sudo apt-get install runc
Fronto
  • 374
  • 2
  • 12
0

Secure computing mode (secure computing mode,seccomp) yes Linux Kernel functions . You can use it to limit the operations available in the container .seccomp() The system call is at the end of the calling process seccomp Running in state . You can use this feature to limit the of your application Access right .

docker After abnormal exit , I can't seem to find it secomp This configuration file , So can't start .

solve Start up docker Add

--security-opt seccomp=unconfined

Francesco Steno
  • 93
  • 1
  • 7
0

You can use it to limit the operations available in the container. seccomp() is a system call is at the end of the calling process seccomp Running in state. I solve the issue using this feature to limit the application Access right.

solve Start up docker Add

docker run --security-opt=seccomp:unconfined <id>

of in my docker-compose.yml

version: '3'
services:


  my_app:
    build:
      args: 
        APP_ENVIRONMENT: ${APP_ENVIRONMENT} 
        USERNAME: ${USERNAME}
        GID: ${GID}
        UID: ${UID}
        APP_MSSQL: ${APP_MSSQL}
        APP_PHP_VERSION_DEV: ${APP_PHP_VERSION_DEV}
        APP_AUTH_MS_PROFILE: ${APP_AUTH_MS_PROFILE}
        APP_NODE_URL: ${APP_NODE_URL}
      context: .
      dockerfile: Dockerfile.app
    image: "php:${APP_VERSION}"
    container_name: hero_app
    restart: unless-stopped
    tty: true
    security_opt:
      - seccomp:unconfined
    environment:
      SERVICE_NAME: my_app
      SERVICE_TAGS: dev
    working_dir: /var/www
    volumes:
      - ./src/app/:/var/www:Z
Francesco Steno
  • 93
  • 1
  • 7