Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#961363: slirp4netns - Fails on Linux 5.5: enable_seccomp failed
97 views
Skip to first unread message
Bastian Blank
May 23, 2020, 12:00:04 PM5/23/20
to
Package: slirp4netns
Version: 1.0.1-1
Severity: important
slirp4netns fails with the following command line:
| /usr/bin/slirp4netns --disable-host-loopback --mtu 65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-b5f1fc5... tap0
Excerpt from strace output:
| prctl(PR_CAPBSET_DROP, CAP_BLOCK_SUSPEND) = 0
| prctl(PR_CAPBSET_DROP, CAP_AUDIT_READ) = 0
| prctl(PR_CAPBSET_DROP, 0x26 /* CAP_??? */) = -1 EINVAL (Invalid argument)
| capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE, permitted=1<<CAP_NET_BIND_SERVICE, inheritable=1<<CAP_NET_BIND_SERVICE}) = 0
| write(2, "enable_seccomp failed\n", 22) = 22
Bastian
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages slirp4netns depends on:
ii libc6 2.30-8
ii libglib2.0-0 2.64.2-1
ii libseccomp2 2.4.3-1+b1
ii libslirp0 4.2.0-2
slirp4netns recommends no packages.
slirp4netns suggests no packages.
Version: 1.0.1-1
Severity: important
slirp4netns fails with the following command line:
| /usr/bin/slirp4netns --disable-host-loopback --mtu 65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-b5f1fc5... tap0
Excerpt from strace output:
| prctl(PR_CAPBSET_DROP, CAP_BLOCK_SUSPEND) = 0
| prctl(PR_CAPBSET_DROP, CAP_AUDIT_READ) = 0
| prctl(PR_CAPBSET_DROP, 0x26 /* CAP_??? */) = -1 EINVAL (Invalid argument)
| capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE, permitted=1<<CAP_NET_BIND_SERVICE, inheritable=1<<CAP_NET_BIND_SERVICE}) = 0
| write(2, "enable_seccomp failed\n", 22) = 22
Bastian
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages slirp4netns depends on:
ii libc6 2.30-8
ii libglib2.0-0 2.64.2-1
ii libseccomp2 2.4.3-1+b1
ii libslirp0 4.2.0-2
slirp4netns recommends no packages.
slirp4netns suggests no packages.
Bastian Blank
May 23, 2020, 5:20:02 PM5/23/20
to
Hi Reinhard
On Sat, May 23, 2020 at 04:09:42PM -0400, Reinhard Tartler wrote:
> Can you please elaborate on your use-case and ideally demonstrate with a minimal testcase? - What kind of namespaces are shared/unshared? The command-line looks like it was generated by some other proram. Please elaborate.
In the meantime I found out that it works in some cases.
I today tried some new stuff:
- podman (https://github.com/containers/libpod)
- usernetes (https://github.com/rootless-containers/usernetes)
With podman slirp4netns broke with the mentioned error. With
rootlesskit, used by usernetes, it seems to work. Let's see if I manage
to look again.
Bastian
--
Men will always be men -- no matter where they are.
-- Harry Mudd, "Mudd's Women", stardate 1329.8
On Sat, May 23, 2020 at 04:09:42PM -0400, Reinhard Tartler wrote:
> Can you please elaborate on your use-case and ideally demonstrate with a minimal testcase? - What kind of namespaces are shared/unshared? The command-line looks like it was generated by some other proram. Please elaborate.
In the meantime I found out that it works in some cases.
I today tried some new stuff:
- podman (https://github.com/containers/libpod)
- usernetes (https://github.com/rootless-containers/usernetes)
With podman slirp4netns broke with the mentioned error. With
rootlesskit, used by usernetes, it seems to work. Let's see if I manage
to look again.
Bastian
--
Men will always be men -- no matter where they are.
-- Harry Mudd, "Mudd's Women", stardate 1329.8
Nathaniel McCallum
Dec 5, 2021, 9:10:03 AM12/5/21
to
On Sat, 23 May 2020 17:40:37 -0400 Reinhard Tartler <sire...@tauware.de> wrote:
> The packaged version does work just fine for me with slirp4netns.
>
> I didn't have the chance to look at usernetes yet.
>
> In any case, please do file a ticket upstream and please cc me to get some clarification from upstream.
https://github.com/containers/podman/issues/6967
It seems that Debian’s slirp4netns is rather out of date at this point and suffers compatibility issues with newer environments. Could we get an update?
>
>
> On 5/23/20 5:03 PM, Bastian Blank wrote:
> > Hi Reinhard
> >
> > On Sat, May 23, 2020 at 04:09:42PM -0400, Reinhard Tartler wrote:
> >> Can you please elaborate on your use-case and ideally demonstrate with a minimal testcase? - What kind of namespaces are shared/unshared? The command-line looks like it was generated by some other proram. Please elaborate.
> >
> > In the meantime I found out that it works in some cases.
> >
> > I today tried some new stuff:
> > - podman (https://github.com/containers/libpod)
> > - usernetes (https://github.com/rootless-containers/usernetes)
> >
> > With podman slirp4netns broke with the mentioned error. With
> > rootlesskit, used by usernetes, it seems to work. Let's see if I manage
> > to look again.
>
> Are you using the packaged podman that we have in Debian since a couple of days now, or did you compile yourself?
>
> On 5/23/20 5:03 PM, Bastian Blank wrote:
> > Hi Reinhard
> >
> > On Sat, May 23, 2020 at 04:09:42PM -0400, Reinhard Tartler wrote:
> >> Can you please elaborate on your use-case and ideally demonstrate with a minimal testcase? - What kind of namespaces are shared/unshared? The command-line looks like it was generated by some other proram. Please elaborate.
> >
> > In the meantime I found out that it works in some cases.
> >
> > I today tried some new stuff:
> > - podman (https://github.com/containers/libpod)
> > - usernetes (https://github.com/rootless-containers/usernetes)
> >
> > With podman slirp4netns broke with the mentioned error. With
> > rootlesskit, used by usernetes, it seems to work. Let's see if I manage
> > to look again.
>
> The packaged version does work just fine for me with slirp4netns.
>
> I didn't have the chance to look at usernetes yet.
>
> In any case, please do file a ticket upstream and please cc me to get some clarification from upstream.
https://github.com/containers/podman/issues/6967
It seems that Debian’s slirp4netns is rather out of date at this point and suffers compatibility issues with newer environments. Could we get an update?
0 new messages