Some of you may be aware of: https://pagure.io/fedora-infrastructure/issue/10145
TLDR: some new syscalls in f35+ make docker in our OSBS cluster fail some new syscalls. This means we have had no new f35/rawhide based OSBS containers built.
Note that the base and minimal base are built a different way in rawhide/branched composes, so we have those, we just don't have any OSBS builds. Also it's not affecting flatpak's (yet) because those are built against f34 currently.
Internally, Red Hat has a docker package that disables seccomp for docker build. Docker has no option for this without patching. OpenShift 3.11 (and also thus OSBS) default to seccomp off, but they can't do that at build time currently.
So, I would like to:
* Make sure it's ok for us to use that internal docker build. (If it's not I guess we get to hack up that seccomp disable patch ourselves). * Apply it on our OSBS nodes.
Our aarch64 nodes are fedora 33, and I don't think they are affected by this, but I am not sure (if someone seeing this could make sure one way or another that would be great, I will also ask in the bug).
Anyhow, can I get +1's to update docker and adjust it's startup unit to run builds with no seccomp to work around this issue?
kevin
On Tue, Sep 07, 2021 at 03:06:45PM -0700, Kevin Fenzi wrote:
Some of you may be aware of: https://pagure.io/fedora-infrastructure/issue/10145
TLDR: some new syscalls in f35+ make docker in our OSBS cluster fail some new syscalls. This means we have had no new f35/rawhide based OSBS containers built.
Note that the base and minimal base are built a different way in rawhide/branched composes, so we have those, we just don't have any OSBS builds. Also it's not affecting flatpak's (yet) because those are built against f34 currently.
Internally, Red Hat has a docker package that disables seccomp for docker build. Docker has no option for this without patching. OpenShift 3.11 (and also thus OSBS) default to seccomp off, but they can't do that at build time currently.
So, I would like to:
- Make sure it's ok for us to use that internal docker build.
(If it's not I guess we get to hack up that seccomp disable patch ourselves).
- Apply it on our OSBS nodes.
Our aarch64 nodes are fedora 33, and I don't think they are affected by this, but I am not sure (if someone seeing this could make sure one way or another that would be great, I will also ask in the bug).
Anyhow, can I get +1's to update docker and adjust it's startup unit to run builds with no seccomp to work around this issue?
+1 for me
P.Yves
On Tue, Sep 7, 2021 at 11:07 PM Kevin Fenzi kevin@scrye.com wrote:
Some of you may be aware of: https://pagure.io/fedora-infrastructure/issue/10145
TLDR: some new syscalls in f35+ make docker in our OSBS cluster fail some new syscalls. This means we have had no new f35/rawhide based OSBS containers built.
Note that the base and minimal base are built a different way in rawhide/branched composes, so we have those, we just don't have any OSBS builds. Also it's not affecting flatpak's (yet) because those are built against f34 currently.
Internally, Red Hat has a docker package that disables seccomp for docker build. Docker has no option for this without patching. OpenShift 3.11 (and also thus OSBS) default to seccomp off, but they can't do that at build time currently.
So, I would like to:
- Make sure it's ok for us to use that internal docker build.
(If it's not I guess we get to hack up that seccomp disable patch ourselves).
- Apply it on our OSBS nodes.
Our aarch64 nodes are fedora 33, and I don't think they are affected by this, but I am not sure (if someone seeing this could make sure one way or another that would be great, I will also ask in the bug).
I'm pretty sure when I first investigated this the aarch64 builds were building successfully so that should be fine.
Anyhow, can I get +1's to update docker and adjust it's startup unit to run builds with no seccomp to work around this issue?
+1 from me
+1 from me.
________________________________ From: Kevin Fenzi kevin@scrye.com Sent: Wednesday, September 8, 2021 1:06 AM To: infrastructure@lists.fedoraproject.org infrastructure@lists.fedoraproject.org Subject: Freeze Break Request: OSBS docker
Some of you may be aware of: https://pagure.io/fedora-infrastructure/issue/10145
TLDR: some new syscalls in f35+ make docker in our OSBS cluster fail some new syscalls. This means we have had no new f35/rawhide based OSBS containers built.
Note that the base and minimal base are built a different way in rawhide/branched composes, so we have those, we just don't have any OSBS builds. Also it's not affecting flatpak's (yet) because those are built against f34 currently.
Internally, Red Hat has a docker package that disables seccomp for docker build. Docker has no option for this without patching. OpenShift 3.11 (and also thus OSBS) default to seccomp off, but they can't do that at build time currently.
So, I would like to:
* Make sure it's ok for us to use that internal docker build. (If it's not I guess we get to hack up that seccomp disable patch ourselves). * Apply it on our OSBS nodes.
Our aarch64 nodes are fedora 33, and I don't think they are affected by this, but I am not sure (if someone seeing this could make sure one way or another that would be great, I will also ask in the bug).
Anyhow, can I get +1's to update docker and adjust it's startup unit to run builds with no seccomp to work around this issue?
kevin
infrastructure@lists.fedoraproject.org
-
Jan K -
Kevin Fenzi -
Mark O'Brien -
Pierre-Yves Chibon