Docker incompatibility with glibc-2.34

[lslezak]

Description

The Problem

Using glibc-2.34 in GitHub Actions Docker images results in strange "permission error" failures in the jobs.

This new glibc has been introduced in openSUSE Tumbleweed recently (see the announcement). That means all Docker images based on the latest openSUSE Tumbleweed might fail with some strange errors.

This is quite similar to a recent problem with the faccessat2 syscall used in glibc-2.33 (link).

The problem is already fixed in the upstream Docker (moby/moby#42681) and there is a backport in progress (moby/moby#42836). This patch should be applied in the Docker included in the GitHub Action virtual environment.

Temporary Workaround

I found out that using --privileged Docker option makes the GitHub Action work correctly,
e.g. put this into the GitHub Action file:

container:
  image: foo:bar
  options: --privileged

Virtual environments affected

• Ubuntu 16.04
• Ubuntu 18.04
• Ubuntu 20.04
• macOS 10.15
• macOS 11
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

Image version and build link

https://github.com/lslezak/github_action_test/actions/runs/1291119026

Is it regression?

Yes, the Docker images with older glibc-2.33 work just fine.

Expected behavior

No crashes in Docker.

Actual behavior

Strange crashes when "fork" syscall is used.

Repro steps

See a complete GitHub Action example in https://github.com/lslezak/github_action_test/blob/main/.github/workflows/ci.yml.

That contains two failing jobs (one failing in actions/checkout@v2 action, the other one in the zypper install command) and there is a working job which uses the --privileged workaround). See the build results.

[miketimofeev]

Hi @lslezak! Do you happen to know the exact docker version where the issue is fixed? I assume it will be 20.10.9 so all we can do here is to wait until the version is released

[lslezak]

I'm not involved in the Docker development, but that pull request is included in the 20.10.9 milestone so it should be fixed in that version.

[mafalb]

there is also an issue about fedora 35 #3812 - which is closed - but fedora 35 containers are still not working.

moby is used, not docker?
#3812 (comment)

[catthehacker]

moby is used, not docker?

Docker is just moby but released under different licence by Docker, Inc.

[catthehacker]

It seems that fix will land in 20.10.10, see moby/moby#42836 (comment)

[catthehacker]

https://github.com/moby/moby/releases/tag/v20.10.10

Add support for clone3 syscall in the default seccomp policy to support running
containers based on recent versions of Fedora and Ubuntu.

moby-engine:
  Installed: (none)
  Candidate: 20.10.10+azure-1
  Version table:
     20.10.10+azure-1 500
        500 https://packages.microsoft.com/ubuntu/20.04/prod focal/main amd64 Packages
     20.10.9+azure-1 500
        500 https://packages.microsoft.com/ubuntu/20.04/prod focal/main amd64 Packages
     20.10.8+azure-3 500
        500 https://packages.microsoft.com/ubuntu/20.04/prod focal/main amd64 Packages

[MehdiChinoune]

An updated ubuntu-20.04 with a new docker-moby is rolling #4395

Docker-Moby Client 20.10.10+azure-1
Docker-Moby Server 20.10.10+azure-1

[miketimofeev]

@lslezak @MehdiChinoune the images with docker moby 20.10.10 have been deployed!
I'm going to close this issue, please feel free to contact us if you have any concerns.
Thank you!

[lslezak]

I have tested running a container without that --privileged workaround and it works fine with the latest image! Thank you! 👍