Release Notes for Alpine 3.14.0: Difference between revisions

From Alpine Linux
No edit summary
No edit summary
Line 4: Line 4:
faccessat2 syscall has been enabled in musl. Due to [https://github.com/opencontainers/runc/issues/2151 runc issue 2151], new system calls incorrectly return EPERM instead of ENOSYS when invoked under a Docker or libseccomp version predating their release. Therefore, Alpine Linux 3.14.0 requires the host Docker to be version 20.10.0 (which contains [https://github.com/moby/moby/commit/a18139111d8a203bd211b0861c281ebe77daccd9 moby commit a181391]) or greater and the host libseccomp to be version 2.4.4 (which contains backported [https://github.com/seccomp/libseccomp/commit/5696c896409c1feb37eb502df33cf36efb2e8e01 libseccomp commit 5696c89]) or greater, compiled against Linux UAPI headers 5.8 (which contains faccessat2 syscall definition) or greater. libseccomp 2.5.0 and greater do not use Linux UAPI header definitions. [https://github.com/docker/for-win/issues/8326 Docker for Windows issue 8326] tracks the process of updating libseccomp in Docker for Windows.
faccessat2 syscall has been enabled in musl. Due to [https://github.com/opencontainers/runc/issues/2151 runc issue 2151], new system calls incorrectly return EPERM instead of ENOSYS when invoked under a Docker or libseccomp version predating their release. Therefore, Alpine Linux 3.14.0 requires the host Docker to be version 20.10.0 (which contains [https://github.com/moby/moby/commit/a18139111d8a203bd211b0861c281ebe77daccd9 moby commit a181391]) or greater and the host libseccomp to be version 2.4.4 (which contains backported [https://github.com/seccomp/libseccomp/commit/5696c896409c1feb37eb502df33cf36efb2e8e01 libseccomp commit 5696c89]) or greater, compiled against Linux UAPI headers 5.8 (which contains faccessat2 syscall definition) or greater. libseccomp 2.5.0 and greater do not use Linux UAPI header definitions. [https://github.com/docker/for-win/issues/8326 Docker for Windows issue 8326] tracks the process of updating libseccomp in Docker for Windows.


Therefore, as of writing, the following platforms are not suitable as Docker hosts for Alpine Linux 3.14.0, due to containing out-of-date libseccomp: Amazon Linux 1 or 2, CentOS 7 or 8, Debian stable (with or without backports), Raspbian stable, Ubuntu (any version), and Windows. This applies regardless of whether the Linux distribution Docker packages or separate Docker package repositories are used.
Therefore, as of writing, the following platforms are not suitable as Docker hosts for Alpine Linux 3.14.0, due to containing out-of-date libseccomp: Alpine Linux 3.12 and earlier, Amazon Linux 1 or 2, CentOS 7 or 8, Debian stable (with or without backports), Raspbian oldstable or stable, openSUSE Leap (any release), Ubuntu (any release), and Windows. This applies regardless of whether the Linux distribution Docker packages or separate Docker package repositories are used, as the Docker package repositories do not include libseccomp.


To check if your host libseccomp is faccessat2-compatible, invoke <code>scmp_sys_resolver faccessat2</code>. If 439 is returned, faccessat2 is supported. Note that Docker must still be at least version 20.10.0, regardless of the result of this command.
To check if your host libseccomp is faccessat2-compatible, invoke <code>scmp_sys_resolver faccessat2</code>. If 439 is returned, faccessat2 is supported. Note that Docker must still be at least version 20.10.0, regardless of the result of this command.


In order to run under old Docker or libseccomp versions, [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json the moby default seccomp profile] should be downloaded and on line 2, <code>defaultAction</code> changed to <code>SCMP_ACT_TRACE</code>, then <code>--seccomp-profile=default.json</code> can be passed to dockerd, or <code>--security-opt=seccomp=default.json</code> passed to <code>docker create</code> or <code>docker run</code>. This will cause the system calls to return ENOSYS instead of EPERM, allowing the container to fall back to faccessat.
In order to run under old Docker or libseccomp versions, [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json the moby default seccomp profile] should be downloaded and on line 2, <code>defaultAction</code> changed to <code>SCMP_ACT_TRACE</code>, then <code>--seccomp-profile=default.json</code> can be passed to dockerd, or <code>--security-opt=seccomp=default.json</code> passed to <code>docker create</code> or <code>docker run</code>. This will cause the system calls to return ENOSYS instead of EPERM, allowing the container to fall back to faccessat.

Revision as of 13:42, 27 January 2021

aports

faccessat2

faccessat2 syscall has been enabled in musl. Due to runc issue 2151, new system calls incorrectly return EPERM instead of ENOSYS when invoked under a Docker or libseccomp version predating their release. Therefore, Alpine Linux 3.14.0 requires the host Docker to be version 20.10.0 (which contains moby commit a181391) or greater and the host libseccomp to be version 2.4.4 (which contains backported libseccomp commit 5696c89) or greater, compiled against Linux UAPI headers 5.8 (which contains faccessat2 syscall definition) or greater. libseccomp 2.5.0 and greater do not use Linux UAPI header definitions. Docker for Windows issue 8326 tracks the process of updating libseccomp in Docker for Windows.

Therefore, as of writing, the following platforms are not suitable as Docker hosts for Alpine Linux 3.14.0, due to containing out-of-date libseccomp: Alpine Linux 3.12 and earlier, Amazon Linux 1 or 2, CentOS 7 or 8, Debian stable (with or without backports), Raspbian oldstable or stable, openSUSE Leap (any release), Ubuntu (any release), and Windows. This applies regardless of whether the Linux distribution Docker packages or separate Docker package repositories are used, as the Docker package repositories do not include libseccomp.

To check if your host libseccomp is faccessat2-compatible, invoke scmp_sys_resolver faccessat2. If 439 is returned, faccessat2 is supported. Note that Docker must still be at least version 20.10.0, regardless of the result of this command.

In order to run under old Docker or libseccomp versions, the moby default seccomp profile should be downloaded and on line 2, defaultAction changed to SCMP_ACT_TRACE, then --seccomp-profile=default.json can be passed to dockerd, or --security-opt=seccomp=default.json passed to docker create or docker run. This will cause the system calls to return ENOSYS instead of EPERM, allowing the container to fall back to faccessat.