| Message ID | 20211027092027.7124-1-pvorel@suse.cz |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] CI: Reenable Tumbleweed | expand |
Hi, <snip> > container: > image: ${{ matrix.container }} > env: ${{ matrix.env }} > + options: --security-opt seccomp=unconfined Alternatively 'options: --privileged' could be used (to run privileged container), IMHO does not matter which of these we take. Kind regards, Petr
Hi! > > container: > > image: ${{ matrix.container }} > > env: ${{ matrix.env }} > > + options: --security-opt seccomp=unconfined > Alternatively 'options: --privileged' could be used (to run privileged > container), IMHO does not matter which of these we take. Looking at docker documentation it looks like --privileged disables much more than just the seccomp filtering. I do not think that this is a good idea. Let's go with just disabling seccomp for affected distros.
> Hi! > > > container: > > > image: ${{ matrix.container }} > > > env: ${{ matrix.env }} > > > + options: --security-opt seccomp=unconfined > > Alternatively 'options: --privileged' could be used (to run privileged > > container), IMHO does not matter which of these we take. > Looking at docker documentation it looks like --privileged disables much > more than just the seccomp filtering. I do not think that this is a good > idea. Let's go with just disabling seccomp for affected distros. IMHO both are ok for just compilation (other projects use it as well for just CI doing compilation), but sure, let's use the minimum. FYI this disables seccomp for all machines. Is that ok for you? IMHO that's not a big deal + we will not have to bother when Fedora also gets new enough glibc (IMHO problem will periodically occurs on bleeding edge distros when glibc starts to use new enough syscall). Kind regards, Petr
Hi! > > Looking at docker documentation it looks like --privileged disables much > > more than just the seccomp filtering. I do not think that this is a good > > idea. Let's go with just disabling seccomp for affected distros. > IMHO both are ok for just compilation (other projects use it as well for just > CI doing compilation), but sure, let's use the minimum. > FYI this disables seccomp for all machines. Is that ok for you? > IMHO that's not a big deal + we will not have to bother when Fedora also gets > new enough glibc (IMHO problem will periodically occurs on bleeding edge distros > when glibc starts to use new enough syscall). Anyways: Acked-by: Cyril Hrubis <chrubis@suse.cz> For the original patch that disables seccomp.
Hi Cyril, > Hi! > > > Looking at docker documentation it looks like --privileged disables much > > > more than just the seccomp filtering. I do not think that this is a good > > > idea. Let's go with just disabling seccomp for affected distros. > > IMHO both are ok for just compilation (other projects use it as well for just > > CI doing compilation), but sure, let's use the minimum. > > FYI this disables seccomp for all machines. Is that ok for you? > > IMHO that's not a big deal + we will not have to bother when Fedora also gets > > new enough glibc (IMHO problem will periodically occurs on bleeding edge distros > > when glibc starts to use new enough syscall). > Anyways: > Acked-by: Cyril Hrubis <chrubis@suse.cz> > For the original patch that disables seccomp. Thanks, pushed! Kind regards, Petr
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3ffde8c48..55d8f5eb5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,6 +76,11 @@ jobs: CC: clang METADATA: asciidoc-pdf + - container: "opensuse/tumbleweed" + env: + CC: gcc + METADATA: asciidoctor + - container: "opensuse/leap" env: CC: gcc @@ -110,6 +115,7 @@ jobs: container: image: ${{ matrix.container }} env: ${{ matrix.env }} + options: --security-opt seccomp=unconfined steps: - name: Show OS
50b3bae29 had to disable Tumbleweed due glibc-2.34 using new syscall clone3 which is not enabled in Docker seccomp filter [1]. Workaround is to disable Docker seccomp filtering, as we don't need this protection. This should help to avoid seccomp filtering in the future for all distros. [1] https://bugzilla.opensuse.org/show_bug.cgi?id=1190670 Fixes: https://github.com/actions/virtual-environments/issues/4193 Signed-off-by: Petr Vorel <pvorel@suse.cz> --- Tested: https://github.com/pevik/iputils/runs/4020083152?check_suite_focus=true .github/workflows/ci.yml | 6 ++++++ 1 file changed, 6 insertions(+)