The following runs successfully on 1.9.1, but fails on 1.10-dev: (recompiled and restarted to be on a082f80 to make sure I wasn't just using an outdated seccomp profile)

FROM buildpack-deps:jessie-curl
RUN wget -O /usr/local/bin/gosu 'https://github.com/tianon/gosu/releases/download/1.7/gosu-i386' \
  && chmod +x /usr/local/bin/gosu
CMD ["sh", "-c", "gosu nobody id"]

(also at https://gist.github.com/tianon/bca77efe076e448e9287 and pushed to tianon/gosu-i386)

On 1.9.1:

$ docker run -it --rm tianon/gosu-i386
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

On master:

$ docker run -it --rm tianon/gosu-i386
Trace/breakpoint trap
$ docker run -it --rm --security-opt seccomp:unconfined tianon/gosu-i386
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

(took me forever to track it down to seccomp due to the funky error message)

There's nothing especially special about the binary -- the amd64 version works fine (just replace i386 in the Dockerfile above with amd64 to see what I mean). It's built via GOARCH=386 go build -ldflags -d from https://github.com/tianon/gosu.

I'm not sure how to help debug since strace is denied in the default profile, and I'm not seccomp-savvy enough to write a new profile allowing it so that I can strace with the failing bits still failing (since using unconfined kind of defeats the purpose of the strace 😇).

cc @jfrazelle