Error adding seccomp filter rule for syscall clone3: permission denied

After an apt upgrade on my Debian 11 I can no longer run any docker containers. They work well with containerd, but not docker. I tried following official documentation to reinstall it from scratch but it’s not enough.

I keep getting this error:

$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:faa03e786c97f07ef34423fccceeec2398ec8a5759259f94d99078f264e9d7af
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: container_linux.go:349: starting container process caused "error adding seccomp filter rule for syscall clone3: permission denied": unknown.
ERRO[0002] error waiting for container: context canceled

No matter the container I try running. Nothing helpful in logs:

ERRO[2022-12-04T13:12:15.224643702+01:00] stream copy error: reading from a closed fifo
ERRO[2022-12-04T13:12:15.224644272+01:00] stream copy error: reading from a closed fifo
ERRO[2022-12-04T13:12:15.365268905+01:00] 03dc92f28a918a7d38ac931528a2fcc9456a69f8897e33f46f3b035ad5e0b9cd cleanup: failed to delete container from containerd: no such container

No nvidia-docker and anything I can find on google is about an nvidia-docker setup.

Docker version:

Client: Docker Engine - Community
 Version:           20.10.21
 API version:       1.41
 Go version:        go1.18.7
 Git commit:        baeda1f
 Built:             Tue Oct 25 18:02:28 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
  Version:          20.10.21
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.7
  Git commit:       3056208
  Built:            Tue Oct 25 18:00:19 2022
  OS/Arch:          linux/amd64
  Experimental:     false
  Version:          1.6.10
  GitCommit:        770bd0108c32f3fb5c73ae1264f7e503fe7b2661
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
  Version:          0.19.0
  GitCommit:        de40ad0

I think this is the same syscall that caused problems with oolder Docker versions before and the solution was to update Docker, but you are using the latest version.

Did that apt upgrade change the kernel? Can you switch back to a previous kernel?

I’m using kernel version 5.10.0-19-amd64 it’s not the most recent…

It doesn’t have to be. I asked about the kernel so we can find out whether the change of the kernel caused the problem or something else. Without knowing what happend it would be hard to find a solution :slight_smile:

Moved from kernel 5.10.0-8-amd64 to 5.10.0-19-amd64

Okay, that shouldn’t be a big difference for Docker, but I would still try to boot with the previous kernel for debugging if you still have that on your machine.

Was Docker upgraded as well?

yes docker was probably upgraded as well but I don’t remember the version I had previously.

To be honest, never thought docker would break like that for an upgrade. I’d be happy to choose the version that is “tested” for my kernel. Since I want to remain on this specific kernel version.

I tried booting with my old kernel and the problem persists.

For reference podman also works flawlessly.

It is a good practice to disable upgrading Docker so it os upgraded only when you manually do it and you can test it on an other machine before upgrading in production. Years ago I upgradded Docker acidentally on Centos when I ran yum update and the update changed the storage driver so all of my containers seemd to be disappeared. I managed to restore everything, but Docker is not recommended to be upgraded with all the system packages. As far as I know, Docker intercepts syscalls so if Docker deson’t support a syscall, commands inside the container can fail. In this case I don’t know what happened, because it is about adding a seccomp filter rule but it could be related to the Docker version. If it is, it is still a bug which has to be fixed, but at least we would know what to report to the developers.

Maybe you could try the dpkg.log to find out what the previous version was. But I am not sure. I can’t test it right now.

Alright, I’m less careful with docker since I only use it for building images… For now I think I’ll use buildah instead, don’t have too much time to debug meticulously.