Trying to run the GWT compiler (gwtc) inside a container, but on docker 1.11 it is crashing with
[java] Caused by: java.io.IOException: Operation not permitted
[java] at sun.nio.ch.FileDispatcherImpl.init(Native Method)
[java] at sun.nio.ch.FileDispatcherImpl.<clinit>(FileDispatcherImpl.java:35)
[java] ... 79 more
I have confirmed that it is a seccomp issue by running the container unconfined. The build runs through successfully in this case:
$ sudo docker run --security-opt seccomp:unconfined -dp 8023:22 my-build
I captured an strace on both successful and unsuccessful runs from the host machine. I deliberately filtered out the flood of futex syscalls, just to make the output more readable. I then extracted the complete list of syscalls made during a successful run of gwtc.
$ sudo strace -fp 16131 -e 'trace=!futex' >strace.success 2>&1
$ gawk '/^\[pid/ && $3 ~ "^[a-z_]" {sub("\\(.*","",$3); print $3}' strace.success | sort | uniq
There are no syscalls in this strace of a successful build that are not listed in the default seccomp profile. The only syscall (being used in the successful build) that has any constraint on its arguments is clone, so I modified the default profile to allow all args as follows:
{
"name": "clone",
"action": "SCMP_ACT_ALLOW",
"args": []
},
I ran the container with this modified seccomp profile, but no cigar:
$ sudo docker run --security-opt seccomp=seccomp.clone-allow-all-args.json -dp 8023:22 my-build
In the strace of the failed run, I noticed a number of lines of this form:
[pid 15687] syscall_4294967295(0x1, 0xc4460ab4, 0xc4460ba4, 0xffffffff, 0xc4463dc4, 0xc4463dc4 <unfinished ...>
[pid 15672] <... stat64 resumed> 0xf670b78c) = -1 ENOENT (No such file or directory)
[pid 15687] <... syscall_4294967295 resumed> ) = -1 (errno 1)
or
[pid 15687] syscall_4294967295(0x1, 0xc4462754, 0x1, 0x2, 0x1, 0xc4462788) = -1 (errno 1)
Does this represent some syscall that has been rejected by seccomp? Which syscall might it be?
Grepping the successful strace for syscalls with 6 parameters (ie. 5 commas), I get this list, all of which are whitelisted with unconstrained args in the default seccomp profile:
bind
connect
getsockname
recvfrom
recvmsg
sendmmsg
sendto
So far I am defeated. The only way I can get gwtc to run is by turning seccomp off completely (“unconfined”), which doesn’t seem ideal.
Suggestions?
Server Version: 1.11.1
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Kernel Version: 4.4.0-22-generic
Operating System: Ubuntu 16.04 LTS
OSType: linux
Architecture: x86_64