Bug was reported first in Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1588755
With --cap-add=SYS_NICE, seccomp still blocks set_mempolicy syscall.
According to the doc (https://docs.docker.com/engine/security/seccomp/) set_mempolicy is gated by CAP_SYS_NICE and should be allowed while using --cap-add=SYS_NICE.
Step to reproduce:
a10029a063dfea068a256f53f7912671500f1aab1da90f1352c0f51d23a4497d
[builder@dlw11 ~]$ docker exec -it test bash
[builder@test ~]$ hwloc-bind --membind node:0 echo hello
hwloc_set_membind 0x00000001 (policy 2 flags 0) failed (errno 1 Operation not permitted)
"good" is just a rhel 7.5 docker image
Modifying the default seccomp profile by adding:
"names": [
"get_mempolicy",
"mbind",
"name_to_handle_at",
"set_mempolicy"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_NICE"
]
},
"excludes": {}
}
solves the problem.
[builder@dlw11 ~]$ nvidia-docker run -di --cap-add=SYS_NICE --name=test --hostname=test --security-opt seccomp=/home/builder/seccomp.json good bash
4ca36edae42f8c48bac6bead4f54d572608e5ea342589132d8f8639b26eeee58
[builder@dlw11 ~]$ docker exec -it test bash
[builder@test ~]$ hwloc-bind --membind node:0 echo hello
hello
Bug was reported first in Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1588755
With --cap-add=SYS_NICE, seccomp still blocks
set_mempolicysyscall.According to the doc (https://docs.docker.com/engine/security/seccomp/) set_mempolicy is gated by CAP_SYS_NICE and should be allowed while using --cap-add=SYS_NICE.
Step to reproduce:
"good" is just a rhel 7.5 docker image
Modifying the default seccomp profile by adding:
solves the problem.
[builder@dlw11 ~]$ nvidia-docker run -di --cap-add=SYS_NICE --name=test --hostname=test --security-opt seccomp=/home/builder/seccomp.json good bash
4ca36edae42f8c48bac6bead4f54d572608e5ea342589132d8f8639b26eeee58
[builder@dlw11 ~]$ docker exec -it test bash
[builder@test ~]$ hwloc-bind --membind node:0 echo hello
hello