seccomp: add riscv64 mapping to seccomp_linux.go#48455
Conversation
Signed-off-by: George Adams <[email protected]>
tianon
left a comment
tianon
left a comment
There was a problem hiding this comment.
I tested this, although in a little bit of a roundabout way (the way I'm running into the issue on our official DOI build infrastructure, in fact 😄)
I took this patch and applied it as-is to the vendored copy of this file in BuildKit, then used that to docker buildx build https://github.com/adoptium/containers.git#07677395574f5d3462c3b6fdf5f6c4a0a350b683:21/jdk/ubuntu/noble
Before:
> [3/5] RUN set -eux; ARCH="$(dpkg --print-architecture)"; case "${ARCH}" in amd64) ESUM='51fb4d03a4429c39d397d3a03a779077159317616550e4e71624c9843083e7b9'; BINARY_URL='https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-jdk_x64_linux_hotspot_21.0.4_7.tar.gz'; ;; arm64) ESUM='d768eecddd7a515711659e02caef8516b7b7177fa34880a56398fd9822593a79'; BINARY_URL='https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-jdk_aarch64_linux_hotspot_21.0.4_7.tar.gz'; ;; ppc64el) ESUM='c208cd0fb90560644a90f928667d2f53bfe408c957a5e36206585ad874427761'; BINARY_URL='https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-jdk_ppc64le_linux_hotspot_21.0.4_7.tar.gz'; ;; riscv64) ESUM='b04fd7f52d18268a935f1a7144dae802b25db600ec97156ddd46b3100cbd13da'; BINARY_URL='https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-jdk_riscv64_linux_hotspot_21.0.4_7.tar.gz'; ;; s390x) ESUM='c900c8d64fab1e53274974fa4a4c736a5a3754485a5c56f4947281480773658a'; BINARY_URL='https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-jdk_s390x_linux_hotspot_21.0.4_7.tar.gz'; ;; *) echo "Unsupported arch: ${ARCH}"; exit 1; ;; esac; wget --progress=dot:giga -O /tmp/openjdk.tar.gz ${BINARY_URL}; echo "${ESUM} */tmp/openjdk.tar.gz" | sha256sum -c -; mkdir -p "/opt/java/openjdk"; tar --extract --file /tmp/openjdk.tar.gz --directory "/opt/java/openjdk" --strip-components 1 --no-same-owner ; rm -f /tmp/openjdk.tar.gz /opt/java/openjdk/lib/src.zip; find "/opt/java/openjdk/lib" -name '*.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; ldconfig; java -Xshare:dump;:
/tmp/openjdk.tar.gz: OK
+ tar --extract --file /tmp/openjdk.tar.gz --directory /opt/java/openjdk --strip-components 1 --no-same-owner
/tmp/openjdk.tar.gz /opt/java/openjdk/lib/src.zip
+ sort -u
+ find /opt/java/openjdk/lib -name *.so -exec dirname {} ;
+ ldconfig
+ java -Xshare:dump
[0.018s][error][os] Syscall: RISCV_FLUSH_ICACHE not available; error='Operation not permitted' (errno=EPERM)
Error occurred during initialization of VM
Unable to synchronize I-cacheAfter:
#10 exporting to docker image format
#10 sending tarball 140.4s done
#10 DONE 299.7s
|
(IMO it also makes sense to backport this, at the very least to v27) |
thaJeztah
added
status/2-code-review
area/security/seccomp
kind/bugfix
Yes, looks like the profile was updated in 4c2f18f / #43553, which was part of 23.0 (?) Was also considering if we should look at adding more tests for these (https://github.com/moby/moby/tree/34182f6202507a1974e19b5140e2e36dc99892ff/contrib/syscall-test), although I guess that won't work unless we'd have this running int CI 🙈 |
@thaJeztah I think I've got a working test case which I'll add in a follow-up PR if you'd like. |
|
Thanks! Yes, more tests are always appreciated. I should add a warning that (from a quick look), currently those syscall tests are run as part of the "integration-cli" suite, e.g.; moby/integration-cli/docker_cli_run_unix_test.go Lines 985 to 995 in 29f4a79 We froze that suite, because we want to move away from requiring the Containerd also maintains a copy of the seccomp-profile; long term we should look if we can unify those (potentially moving the secomp profile to a separate module) and perhaps we should at some point look at porting those tests over as well. Either way; that last part is definitely orthogonal. Happy to help with the |
|
Test-failiures should be unrelated (we have some known flakiness in master; see #48400. Gave CI another kick to see if it goes green, but if it doesn't, I'll probably merge this one. |
That's great! do you need me to manually kick off the backports once this is merged or do you have some automated tooling? |
|
We don't have automated tooling (yet); the jury was still out on how to integrate automation but limiting permissions (i.e., we generally prefer automation to not have direct write access on the repository). So cherry-picks are still manual; feel free to open backports for the release branch(es) though! Some quick comments on that (we really need to write that down somewhere 🙈); When cherry-picking, we prefer using the git cherry-pick -s -x <commit-sha>(add the And for backports, we want the PR description to have the branch in the title (e.g. |
|
LOL; and of course CI hit another flaky test ( |
|
@thaJeztah did you intentionally not add the |
|
@gdams yes; the 24.0 branch is no longer maintained, so we generally skip it; see https://github.com/moby/moby/blob/master/project/BRANCHES-AND-TAGS.md#branches (yet it's a bit confusing 🙈) |
gotcha, wanted to double check! versions are always confusing ;) I've raised all the required backports then! Thanks for getting to this so quickly! I'm slightly amazed that it's taken 2 years for someone to pick this up but glad we've finally sorted it! |
|
🤔 We need to update that list to include 25.0, because AWS uses it (and it's planned to become the next LTS version for Mirantis IIUC). Lots of work to do improving our documentation around that 🙈 |
3 participants
- What I did
I added support for the
riscv64architecture in Docker's seccomp profile by updating the architecture mappings. Specifically, I includedriscv64in thenativeToSeccompandgoToNativemaps in Docker's seccomp profile handling code.- How I did it
nativeToSeccompmap to include"riscv64": specs.ArchRISC_V64for proper architecture mapping.goToNativemap to include"riscv64": "riscv64"for correct runtime architecture detection.- How to verify it
riscv64system.riscv_flush_icachesystem call and other RISC-V-specific syscalls are correctly applied in the seccomp profile.- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)