FS#65523 - [libseccomp] blocks systemd and new time64 functions for 32-bit with glibc 2.31 (sytemd-nspawn)
Attached to Project:
Arch Linux
Opened by Andreas Baumann (andreas_baumann) - Sunday, 16 February 2020, 20:06 GMT
Last edited by Evangelos Foutras (foutrelis) - Thursday, 27 February 2020, 12:00 GMT
Opened by Andreas Baumann (andreas_baumann) - Sunday, 16 February 2020, 20:06 GMT
Last edited by Evangelos Foutras (foutrelis) - Thursday, 27 February 2020, 12:00 GMT
|
Details
systemd-nspawn fails to run 32-bit containers having glibc
2.31 installed.
systemd doesn't boot 32-bit systems at all due to missing time64 function in libseccomp 2.4.1. Reproducable with: staging-pentium4-build (with a glibc 2.31 in the chroot) mount --bind /var/lib/archbuild/staging-pentium4/builduser/staging systemd-nspawn -D /mnt sleep 5 An strace on systemd-nspawn -D /mnt sleep 5 shows: [pid 269905] clock_nanosleep_time64(CLOCK_REALTIME, 0, {tv_sec=5, tv_nsec=0}, 0xff8ea1cc) = -1 EPERM (Operation not permitted) This might not really be easily reproducable and I also know it is completely unsupported (as it is 32-bit), but this blocks our build slaves using systemd-nspawn currently. You can follow (the somewhat frantic and intermixed with sshd update problems) discusison at https://bbs.archlinux32.org/viewtopic.php?pid=6935. I report that against libseccomp 2.4.1 though I know that it has already been flagged out-of-date. But I cannot reflag it or add comments there.. I'm also aware that this "bug" doesn't affect anybody on 64-bit. I posted this bug in the hope that the update to libseccomp 2.4.2 could be hurried up a little bit. :-) |
This task depends upon
Closed by Evangelos Foutras (foutrelis)
Thursday, 27 February 2020, 12:00 GMT
Reason for closing: Fixed
Additional comments about closing: libseccomp 2.4.2-1
Thursday, 27 February 2020, 12:00 GMT
Reason for closing: Fixed
Additional comments about closing: libseccomp 2.4.2-1
It's about 64-bit systemd-nspawn being useless for entering nspawn containers containing 32-bit systems, including not only archlinux32 containers, but also debian i386 containers.
Question: is updating libseccomp to 2.4.2 sufficient to fix this?
If someone wants to see 2.4.2 in our repos, you will need to convince them to post a signed confirmation anywhere that contains the new maintainers full fingerprint and was signed with the original maintainers signing key.
Basically the .md is added here https://github.com/seccomp/libseccomp/commit/e5c4b5ee8086b936d28b080e5477950f632b4d43 but he also refused to sign commits, so until there is a new signed release done by him that commits is pretty worthless from a trust chain PoV
So perhaps we can try backporting this instead, while we wait for a trustworthy signed release?
We probably also want to grab these fixes planned for 2.4.3: https://github.com/seccomp/libseccomp/issues/187
Also while doing a pacman -S glibc (being glibc 2.31) I got before:
(tons of) warning: warning given when extracting /usr/share/locale/ru/LC_MESSAGES/libc.mo (Can't restore time)
touch: setting times of '/usr': Operation not permitted
This also looks fine now (no errors after the update).
I checked also the sources of systemd and there I see for instance the new time syscalls in filter groups like @default.
TLDR: I will switch over to git tags for 2.4.2 and get in touch with upstream yet again.
Why can't everyone be like this person? https://github.com/EFForg/https-everywhere/pull/17007#issuecomment-434968524
Wow, https-everywhere is exactly how it should be :thumbs: