With glibc 2.34 every application used clone in Docker container fails on this syscall. For example, chronyd:
clone
chronyd
chronyd[71]: chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG) chronyd[71]: Initial frequency -14.338 ppm chronyd[71]: Fatal error : pthread_create() failed
host's journal:
audit[5061]: SECCOMP auid=4294967295 uid=496 gid=484 ses=4294967295 subj=unconfined pid=5061 comm="chronyd" exe="/usr/sbin/chronyd" sig=0 arch=c000003e syscall=435 compat=0 ip=0x7fc6dc593159 code=0x7ffc0000 audit[5064]: SECCOMP auid=4294967295 uid=496 gid=484 ses=4294967295 subj=unconfined pid=5064 comm="chronyd" exe="/usr/sbin/chronyd" sig=0 arch=c000003e syscall=435 compat=0 ip=0x7fec76aa7159 code=0x7ffc0000
As of https://sourceware.org/git/?p=glibc.git;a=commit;h=d8ea0d0168b190bdf138a20358293c939509367f clone3 is used by default, in case of ENOSYS it falls back to clone2 or clone. But seccomp profile for Azure Docker container returns EPERM by default.
clone3
clone2
Metadata Update from @slev: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6048
Metadata Update from @abbra: - Issue assigned to slev - Issue priority set to: critical
master:
ipa-4-9:
ipa-4-8:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.