Disabling seccomp is bad solution, unfortunately it is required today.
I've found that glibc 2.31+ can't be used with seccomp without time64 syscalls whitelist. These syscalls was whitelisted in latest version of containerd v1.4.0 only. But 1.4.0 version includes huge amount of changes. It can appear in testing branch in next 2 month and in stable branch in next year only. 90% of users will forget that seccomp should be re-enabled in next year.
Please don't forget to backport seccomp whitelist changes to every major release and make new minor releases. It is fine to make minor release with just single seccomp whitelist commit. Seccomp whitelist is critically important for buildah/podman usability (it is enabled by default). Thank you.
Disabling seccomp is bad solution, unfortunately it is required today.
I've found that glibc 2.31+ can't be used with seccomp without
time64syscalls whitelist. These syscalls was whitelisted in latest version ofcontainerdv1.4.0only. But1.4.0version includes huge amount of changes. It can appear intestingbranch in next 2 month and instablebranch in next year only. 90% of users will forget that seccomp should be re-enabled in next year.Please don't forget to backport seccomp whitelist changes to every major release and make new minor releases. It is fine to make minor release with just single seccomp whitelist commit. Seccomp whitelist is critically important for
buildah/podmanusability (it is enabled by default). Thank you.