seccomp issue with Debian 11 on 32-bit ARM machines

[Jamesits]

After upgrading the base image to Debian 11, I noticed Atlas stopped working on some 32-bit ARM devices.

Symptoms

root@bananapir2:~# docker run --rm -it debian:stable-slim
Unable to find image 'debian:stable-slim' locally
stable-slim: Pulling from library/debian
a384a395da99: Already exists 
Digest: sha256:bd53ab674a48598863d4902d867fab6fa8f1da4f67a2d14b32785398e40c5f18
Status: Downloaded newer image for debian:stable-slim
root@72a4e03037ea:/# sleep 0
sleep: cannot read realtime clock: Operation not permitted

root@bananapir2:~# docker run --rm -it debian:10-slim
Unable to find image 'debian:10-slim' locally
10-slim: Pulling from library/debian
8f4c08df22a9: Pull complete 
Digest: sha256:69f5980eb8901ca6829d36f2aea008f3cdb39a23aec23511054a6801244cbaa5
Status: Downloaded newer image for debian:10-slim
root@b95e87c8b798:/# sleep 0

The Debian 11 image also fails to do some other tasks:

root@bananapir2:/usr/local/mesh# docker run --rm -it debian:stable-slim
root@2b43c215e1d8:/# which sleep
/bin/sleep
root@2b43c215e1d8:/# apt update
Get:1 http://security.debian.org/debian-security stable-security InRelease [44.1 kB]
Err:1 http://security.debian.org/debian-security stable-security InRelease
  At least one invalid signature was encountered.
Get:2 http://deb.debian.org/debian stable InRelease [116 kB]
Get:3 http://deb.debian.org/debian stable-updates InRelease [39.4 kB]
Err:2 http://deb.debian.org/debian stable InRelease
  At least one invalid signature was encountered.
Err:3 http://deb.debian.org/debian stable-updates InRelease
  At least one invalid signature was encountered.
Reading package lists... Done
W: GPG error: http://security.debian.org/debian-security stable-security InRelease: At least one invalid signature was encountered.
E: The repository 'http://security.debian.org/debian-security stable-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://deb.debian.org/debian stable InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://deb.debian.org/debian stable-updates InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian stable-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Workaround

Build Script

Temporary reverted the base image to Debian 10.

Docker side

If you still need Debian 11 images:

Add --security-opt seccomp:unconfined to the docker run commandline.

For Docker Compose, add the following config under the service:

    security_opt:
      - seccomp:unconfined

Host OS

Upgrade libseccomp2 to 2.5.1-1~bpo10+1 or higher.

Environment

Hardware:

• Banana Pi 2

Software:

# docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.8.2-docker)

Server:
 Containers: 2
  Running: 2
  Paused: 0
  Stopped: 0
 Images: 4
 Server Version: 20.10.16
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
 runc version: v1.1.1-0-g52de29d
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.19.204-mt7623
 Operating System: Debian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 1.963GiB
 Name: bananapir2
 ID: NEVZ:ZDFD:QVHQ:QPUI:TE72:E4JA:TRS7:LKTM:OKV6:HPA2:T74L:V7JX
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: true

[Jamesits]

Related:

• bullseye: apt not working debuerreotype/docker-debian-artifacts#122
• Seccomp blocks install of "libc6" in Ubuntu 20.04 "focal" image on armhf (arm32v7) moby/moby#40734

[ZEROF]

Hi,

I can confirm that my probe stopped working when the watchtower received the last image.

OS: Debian 12 x86_64
Docker image:
"RepoTags": [
"jamesits/ripe-atlas:latest"
]
Probe is back online after using: --security-opt tseccomp:unconfined.

[Jamesits]

@ZEROF Yes, since Debian 10 is now EOL, we cannot support this use case anymore. I'll add your solution to the README as a reference.

Related changes has landed at fe3becc .