Description
See docker-library/official-images#17403 for most of the context
Essentially seccomp doesn't support riscv64 right now so specifying it won't apply on a riscv64 architecture
{
"names": [
"riscv_flush_icache"
],
"action": "SCMP_ACT_ALLOW",
"includes": {
"arches": [
"riscv64"
]
}
},but if you remove the includes it will work:
{
"names": [
"riscv_flush_icache"
],
"action": "SCMP_ACT_ALLOW"
},Reproduce
- On a riscv64 agent run an ubuntu docker image (default seccomp settings)
- Run
apt-get update and apt-get install openjdk-21-jdk
- Observe the following error:
[0.024s][error][os] Syscall: RISCV_FLUSH_ICACHE not available; error='Operation not permitted' (errno=EPERM)
Expected behavior
No response
docker version
Client:
Version: 24.0.7
API version: 1.43
Go version: go1.22.2
Git commit: 24.0.7-0ubuntu4
Built: Wed Apr 17 20:08:25 2024
OS/Arch: linux/riscv64
Context: default
Server:
Engine:
Version: 24.0.7
API version: 1.43 (minimum version 1.12)
Go version: go1.22.2
Git commit: 24.0.7-0ubuntu4
Built: Wed Apr 17 20:08:25 2024
OS/Arch: linux/riscv64
Experimental: false
containerd:
Version: 1.7.12
GitCommit:
runc:
Version: 1.1.12-0ubuntu3
GitCommit:
docker-init:
Version: 0.19.0
GitCommit:
docker info
Client:
Version: 24.0.7
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: 0.12.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 6
Server Version: 24.0.7
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version:
runc version:
init version:
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 5.10.113+
Operating System: Ubuntu 24.04 LTS
OSType: linux
Architecture: riscv64
CPUs: 4
Total Memory: 15.35GiB
Name: test-rise-ubuntu2404-riscv64-3.adoptopenjdk.net
ID: 3ab95727-791b-4dba-b211-132e803c56b0
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: falseAdditional Info
No response
Description
See docker-library/official-images#17403 for most of the context
Essentially seccomp doesn't support riscv64 right now so specifying it won't apply on a riscv64 architecture
{ "names": [ "riscv_flush_icache" ], "action": "SCMP_ACT_ALLOW", "includes": { "arches": [ "riscv64" ] } },but if you remove the includes it will work:
{ "names": [ "riscv_flush_icache" ], "action": "SCMP_ACT_ALLOW" },Reproduce
apt-get updateandapt-get install openjdk-21-jdkExpected behavior
No response
docker version
Client: Version: 24.0.7 API version: 1.43 Go version: go1.22.2 Git commit: 24.0.7-0ubuntu4 Built: Wed Apr 17 20:08:25 2024 OS/Arch: linux/riscv64 Context: default Server: Engine: Version: 24.0.7 API version: 1.43 (minimum version 1.12) Go version: go1.22.2 Git commit: 24.0.7-0ubuntu4 Built: Wed Apr 17 20:08:25 2024 OS/Arch: linux/riscv64 Experimental: false containerd: Version: 1.7.12 GitCommit: runc: Version: 1.1.12-0ubuntu3 GitCommit: docker-init: Version: 0.19.0 GitCommit:docker info
Additional Info
No response