Skip to content

seccomp: support riscv64#43553

Merged
justincormack merged 1 commit intomoby:masterfrom
AkihiroSuda:riscv64
May 13, 2022
Merged

seccomp: support riscv64#43553
justincormack merged 1 commit intomoby:masterfrom
AkihiroSuda:riscv64

Conversation

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented May 2, 2022
edited
Loading

- What I did

Added riscv64 support.

Corresponds to:

- How I did it

Updated the seccomp profile.

Needs runc with:

- How to verify it

$ uname -a
Linux lima-riscv64 5.15.0-1008-generic #8-Ubuntu SMP Wed Apr 20 07:00:28 UTC 2022 riscv64 riscv64 riscv64 GNU/Linux

$ docker info
Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 2
 Server Version: library-import
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 
 runc version: v1.1.0-169-ge41ba42e
 init version: N/A
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-1008-generic
 Operating System: Ubuntu 22.04 LTS
 OSType: linux
 Architecture: riscv64
 CPUs: 1
 Total Memory: 1.919GiB
 Name: lima-riscv64
 ID: PKRT:2BZP:WI2W:AFSF:RJJS:VFNW:636S:5LWX:LCDH:CWKK:BKJO:JDEU
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

$ docker run -it --rm ubuntu:22.04
root@27d3fc38e4f8:/# uname -a
Linux 27d3fc38e4f8 5.15.0-1008-generic #8-Ubuntu SMP Wed Apr 20 07:00:28 UTC 2022 riscv64 riscv64 riscv64 GNU/Linux

Tested on qemu-system-riscv64 -M virt -cpu rv64 (QEMU 6.2)

- Description for the changelog

seccomp: support riscv64

- A picture of a cute animal (not mandatory but encouraged)
🐧

We should update the CI to cover riscv64, but it will be a separate PR, after refactoring of the cross compilation scripts:

@AkihiroSuda
seccomp: support riscv64
4c2f18f 
Corresponds to containerd PR 6882

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented May 2, 2022

cc @crazy-max

thaJeztah
thaJeztah approved these changes May 2, 2022
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@thaJeztah thaJeztah added this to the 22.04.0 milestone May 2, 2022
@crazy-max
Copy link
Member

crazy-max commented May 2, 2022

@AkihiroSuda

We should update the CI to cover riscv64, but it will be a separate PR, after refactoring of the cross compilation scripts:

Created another branch to add support for riscv64 on moby: master...crazy-max:cross-20220502-2

Needs to use an ubuntu based image (at least 20.04) because debian lacks of riscv64 cross pkgs support afaik. See relevant commit: 697074d

$ docker buildx bake --set *.platform=linux/riscv64
$ file build/binary/dockerd 
build/binary/dockerd: ELF 64-bit LSB executable, UCB RISC-V, RVC, double-float ABI, version 1 (SYSV), statically linked, BuildID[sha1]=216c27bc33c0514c7d1fe1be2d3d64fb6d83a315, for GNU/Linux 4.15.0, stripped

But switching to ubuntu cause some issues with apt sources through xx with arm/v5, arm/v6:

$ docker buildx bake --set *.platform=linux/arm/v6
...
 > [rootlesskit-base 1/1] RUN --mount=type=cache,sharing=locked,id=moby-rootlesskit-aptlib,target=/var/lib/apt     --mount=type=cache,sharing=locked,id=moby-rootlesskit-aptcache,target=/var/cache/apt   xx-apt-get update && xx-apt-get install -y libc6-dev gcc   && xx-go --wrap:
#0 7.991 W: Target Packages (multiverse/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:26 and /etc/apt/sources.list.d/xx-armel.list:2
#0 7.991 W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:34 and /etc/apt/sources.list.d/xx-armel.list:3
#0 7.991 W: Target Packages (restricted/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:34 and /etc/apt/sources.list.d/xx-armel.list:3
#0 7.991 W: Target Packages (universe/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:34 and /etc/apt/sources.list.d/xx-armel.list:3
#0 7.991 W: Target Packages (multiverse/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:34 and /etc/apt/sources.list.d/xx-armel.list:3
#0 7.991 W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:44 and /etc/apt/sources.list.d/xx-armel.list:4
#0 7.991 W: Target Packages (restricted/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:44 and /etc/apt/sources.list.d/xx-armel.list:4
#0 7.991 W: Target Packages (universe/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:46 and /etc/apt/sources.list.d/xx-armel.list:4
#0 7.991 W: Target Packages (multiverse/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:48 and /etc/apt/sources.list.d/xx-armel.list:4
#0 7.991 E: Unable to locate package libc6-dev:armel

Not sure if duplicated targets packages is the cause of this @tonistiigi. I don't encounter this issue with goxx:

$ git clone https://github.com/crazy-max/goxx.git goxx
$ cd goxx/examples/gorm/
$ docker buildx bake artifact --set *.platform=linux/arm/v6
...
#12 [build 1/2] RUN --mount=type=cache,sharing=private,target=/var/cache/apt   --mount=type=cache,sharing=private,target=/var/lib/apt/lists   goxx-apt-get install -y binutils gcc g++ pkg-config
#12 0.233 Hit:1 http://ppa.launchpad.net/git-core/ppa/ubuntu focal InRelease
#12 0.233 Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease
#12 0.233 Hit:3 http://security.ubuntu.com/ubuntu focal-security InRelease
#12 0.233 Hit:4 http://ports.ubuntu.com/ubuntu-ports focal InRelease
#12 0.245 Hit:5 http://archive.ubuntu.com/ubuntu focal-updates InRelease
#12 0.245 Hit:6 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
#12 0.261 Hit:7 http://archive.ubuntu.com/ubuntu focal-backports InRelease
#12 0.261 Hit:8 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease
#12 0.292 Hit:9 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease
#12 0.662 Reading package lists...
#12 3.216 + exec apt-get install -y binutils-arm-linux-gnueabi gcc-arm-linux-gnueabi g++-arm-linux-gnueabi pkg-config-arm-linux-gnueabi
#12 3.260 Reading package lists...
#12 3.739 Building dependency tree...
#12 3.876 Reading state information...
#12 3.962 The following additional packages will be installed:
#12 3.962   cpp-9-arm-linux-gnueabi cpp-arm-linux-gnueabi g++-9-arm-linux-gnueabi
#12 3.962   gcc-10-cross-base gcc-9-arm-linux-gnueabi gcc-9-arm-linux-gnueabi-base
#12 3.962   gcc-9-cross-base libasan5-armel-cross libatomic1-armel-cross
#12 3.962   libc6-armel-cross libc6-dev-armel-cross libgcc-9-dev-armel-cross
#12 3.962   libgcc-s1-armel-cross libgomp1-armel-cross libstdc++-9-dev-armel-cross
#12 3.962   libstdc++6-armel-cross libubsan1-armel-cross linux-libc-dev-armel-cross
#12 3.962 Suggested packages:
#12 3.962   binutils-doc gcc-9-locales cpp-doc g++-9-multilib-arm-linux-gnueabi
#12 3.962   gcc-9-doc gcc-9-multilib-arm-linux-gnueabi manpages-dev autoconf automake
#12 3.962   libtool flex bison gdb-arm-linux-gnueabi gcc-doc
#12 4.009 The following NEW packages will be installed:
#12 4.009   binutils-arm-linux-gnueabi cpp-9-arm-linux-gnueabi cpp-arm-linux-gnueabi
#12 4.009   g++-9-arm-linux-gnueabi g++-arm-linux-gnueabi gcc-10-cross-base
#12 4.009   gcc-9-arm-linux-gnueabi gcc-9-arm-linux-gnueabi-base gcc-9-cross-base
#12 4.009   gcc-arm-linux-gnueabi libasan5-armel-cross libatomic1-armel-cross
#12 4.009   libc6-armel-cross libc6-dev-armel-cross libgcc-9-dev-armel-cross
#12 4.009   libgcc-s1-armel-cross libgomp1-armel-cross libstdc++-9-dev-armel-cross
#12 4.009   libstdc++6-armel-cross libubsan1-armel-cross linux-libc-dev-armel-cross
#12 4.009   pkg-config-arm-linux-gnueabi
#12 4.087 0 upgraded, 22 newly installed, 0 to remove and 12 not upgraded.
#12 4.087 Need to get 35.6 MB of archives.
...

So maybe this logic https://github.com/crazy-max/goxx/blob/dc8345b5adf7bcfa88486914762161ec55a75c04/rootfs/usr/local/bin/goxx-apt-get#L28-L53 could fix it in xx.

@tonistiigi
Copy link
Member

tonistiigi commented May 2, 2022

could fix it in xx.

Same thing should exist in xx already.

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented May 3, 2022

arm/v5, arm/v6

Can we just drop them? Most ARM images need v7 at least today.

@thaJeztah
Copy link
Member

thaJeztah commented May 3, 2022

Same thing should exist in xx already.

Do we need a newer version of xx in this repository, or what's needed?

@crazy-max crazy-max mentioned this pull request May 3, 2022
Closed
@crazy-max
Copy link
Member

crazy-max commented May 3, 2022
edited
Loading

could fix it in xx.

Same thing should exist in xx already.

Yes it's ok on xx, on goxx I skip packages not found, that's why it "works".

About targets packages duplication I opened a PR tonistiigi/xx#66

For #0 7.991 E: Unable to locate package libc6-dev:armel, it works if I specify XX_APT_PREFER_CROSS=1 but then:

With ARG BASE_IMAGE="ubuntu:20.04":

$ docker buildx build --target runc --platform linux/arm/v5 .
...
#22 7.183 + apt-get  install -y binutils-arm-linux-gnueabi gcc-arm-linux-gnueabi g++-arm-linux-gnueabi dpkg-dev:armel pkg-config-arm-linux-gnueabi libseccomp-dev:armel
#22 7.228 Reading package lists...
#22 7.738 Building dependency tree...
#22 7.855 Reading state information...
#22 7.866 E: Unable to locate package dpkg-dev:armel
#22 7.866 E: Unable to locate package libseccomp-dev:armel

With ARG BASE_IMAGE="ubuntu:22.04":

$ docker buildx build --target runc --platform linux/arm/v5 .
...
#23 11.29 + apt-get  install -y binutils-arm-linux-gnueabi gcc-arm-linux-gnueabi g++-arm-linux-gnueabi dpkg-dev:armel pkg-config:armel libseccomp-dev:armel
#23 11.33 Reading package lists...
#23 11.70 Building dependency tree...
#23 11.81 Reading state information...
#23 11.81 E: Unable to locate package dpkg-dev:armel
#23 11.81 E: Unable to locate package pkg-config:armel
#23 11.81 E: Unable to locate package libseccomp-dev:armel

With ARG BASE_IMAGE="debian:bullseye":

$ docker buildx build --target runc --platform linux/arm/v5 .
...
#21 9.478 + apt-get  install -y binutils-arm-linux-gnueabi gcc-arm-linux-gnueabi g++-arm-linux-gnueabi dpkg-dev:armel pkg-config:armel libseccomp-dev:armel
#21 9.485 Reading package lists...
#21 10.01 Building dependency tree...
#21 10.17 Reading state information...
#21 10.28 The following additional packages will be installed:

So like @AkihiroSuda said we could drop armel or rely on 2 variants depending on the target. debian for armel and ubuntu for the others ones.

@crazy-max
Copy link
Member

crazy-max commented May 3, 2022

2 variants depending on the target. debian for armel and ubuntu for the others ones.

looks good with crazy-max@83062f5

@crazy-max crazy-max mentioned this pull request May 4, 2022
Closed
tianon
tianon approved these changes May 5, 2022
View reviewed changes
Copy link
Member

@tianon tianon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; @justincormack given this is a seccomp profile change, can you take a look too? 🙏

thaJeztah
thaJeztah reviewed May 5, 2022
View reviewed changes
profiles/seccomp/default_linux.go
},
{
Arch: specs.ArchRISCV64,
SubArches: nil,
Copy link
Member

@thaJeztah thaJeztah May 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious; was the nil needed?

Copy link
Member Author

@AkihiroSuda AkihiroSuda May 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really. Just for explicitness.

@AkihiroSuda AkihiroSuda requested a review from justincormack May 10, 2022 11:04
@justincormack justincormack merged commit f1dd6bf into moby:master May 13, 2022
@crazy-max crazy-max mentioned this pull request May 23, 2022
Open
@crazy-max crazy-max mentioned this pull request Oct 18, 2022
Open
@crazy-max crazy-max mentioned this pull request Jan 2, 2023
Draft
martinetd added a commit to martinetd/containers-common that referenced this pull request Jun 5, 2024
@martinetd
seccomp: riscv: add riscv_flush_icache
0415089 
apparently harmless and used

Link: systemd/systemd#25018
Link: containerd/containerd#6882
Link: moby/moby#43553
martinetd added a commit to martinetd/containers-common that referenced this pull request Jun 5, 2024
@martinetd
seccomp: riscv: add riscv_flush_icache
bf99073 
apparently harmless and used

Link: systemd/systemd#25018
Link: containerd/containerd#6882
Link: moby/moby#43553
Signed-off-by: Dominique Martinet <[email protected]>
openshift-merge-bot bot pushed a commit to containers/common that referenced this pull request Jun 7, 2024
@martinetd
seccomp: riscv: add riscv_flush_icache
b12e6be 
apparently harmless and used

Link: systemd/systemd#25018
Link: containerd/containerd#6882
Link: moby/moby#43553
Signed-off-by: Dominique Martinet <[email protected]>
@thaJeztah thaJeztah mentioned this pull request Sep 10, 2024
Merged
@gdams gdams mentioned this pull request Sep 10, 2024
Merged
This was referenced Sep 10, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@tianon tianon tianon approved these changes

@tonistiigi tonistiigi Awaiting requested review from tonistiigi

+1 more reviewer

@justincormack justincormack justincormack approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/security/seccomp impact/changelog status/2-code-review

Projects

None yet

Milestone

23.0.0

Development

Successfully merging this pull request may close these issues.

6 participants

@AkihiroSuda @crazy-max @tonistiigi @thaJeztah @tianon @justincormack