Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

seccomp: initrd: failing to get initrd seccomp images to boot #194

Closed
grahamwhaley opened this issue Nov 6, 2018 · 3 comments
Closed

seccomp: initrd: failing to get initrd seccomp images to boot #194

grahamwhaley opened this issue Nov 6, 2018 · 3 comments

Comments

@grahamwhaley
Copy link
Contributor

I'm trying to enable seccomp with an initrd image (so I can compare any metrics changes etc.).
I'm having trouble getting it working. I got a ClearLinux .img seccomp to work, but so far I've failed to boot either an Alpine or Fedora based initrd with seccomp enabled (in the agent Makefile, built using osbuilder). I can boot both of those initrd's fine if I don't enable seccomp

Note, right now I don't even have the runtime seccomp PR (kata-containers/runtime#689) enabled.

I don't get a lot of debug output here, I guess probably as the agent has failed to start:

docker run --rm -ti --runtime=kata-runtime busybox sh
docker: Error response from daemon: OCI runtime create failed: Failed to check if grpc server is working: rpc error: code = Unavailable desc = transport is closing: unknown.
ERRO[0020] error waiting for container: context canceled

# journalctl --reverse
...

Nov 06 19:54:33 bignuc kata-runtime[25902]: time="2018-11-06T19:54:33.365211571Z" level=error msg="Failed to check if grpc server is working: rpc error: code = Unavailable desc = transport

AFAIK, this has worked - as referenced over on kata-containers/agent#353 (comment)

Any input welcome. Any thoughts welcome. Any hints on debugging an agent failing to start as init welcome. @jodh-intel - did you see something like this recently when doing trace? @jcvenegas not sure if you will have input here. @nitkon as you wrote the seccomp stuff.

I'm pretty sure I don't need to have kata-containers/runtime#689 enabled in the runtime to add seccomp to the agent (I don't for .img rootfs), but I'll go try that now for initrd just in case....
@grahamwhaley
Copy link
Contributor Author

OK, I tried with the runtime PR in/out again - looks like I booted without kata-containers/runtime#689 applied, and not with it applied. Summary, I still see some sort of seccomp issue with initrd.

@grahamwhaley
Copy link
Contributor Author

OK, thanks @jodh-intel for reminding me to turn on debug in the runtime config file :-)
I now get a kernel panic/dump/reboot in the proxy logs. The pertinent line probably being:

"/init: error while loading shared libraries: libseccomp.so.2: cannot open shared object file:

Some debug to do then - afaict, osbuilder is installing the seccomp libs, so now I'll have to go rootle around the rootfs to see what is actually there....

@grahamwhaley
Copy link
Contributor Author

OK, mea culpa - I was missing the outstanding PR #156 on this repo - I thought we'd landed all the seccomp bits apart from kata-containers/runtime#689 - my fault. Working now. Closing this issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@grahamwhaley