touch-packages team mailing list archive

Thread
Date

[Bug 1526358] Re: xenial/i386 regression: nspawn fails with "Failed to add audit seccomp rule: Bad address"

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <martin.pitt@xxxxxxxxxx>
Date: Wed, 16 Dec 2015 08:15:17 -0000
Reply-to: Bug 1526358 <1526358@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I further bisected it down to adding this line to /usr/include/i386
-linux-gnu/asm/unistd_32.h:

  #define __NR_socket 359

if I drop just that and rebuild systemd, seccomp/nspawn work again.

While systemd does define some syscalls for some more obscure platforms
in https://github.com/systemd/systemd/blob/master/src/basic/missing.h if
the kernel headers don't already define them, these don't seem to
collide with either __NR_socket or the value 359. The only place where I
see this referenced is in /usr/include/asm-generic/unistd.h:

#define __NR_socket 198
__SYSCALL(__NR_socket, sys_socket)

but as that redefines __NR_socket I figure that's unrelated. Commenting
it out doesn't change the behaviour at all.

I confirm this on Debian sid which has linux-libc-dev 4.3.3-1, exact
same situation.

At this point I'm afraid I don't understand what's going on and what
these new syscall definitions do.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1526358

Title:
  xenial/i386 regression: nspawn fails with "Failed to add audit seccomp
  rule: Bad address"

Status in linux package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Triaged

Bug description:
  Four days ago, on Dec 10,
  http://autopkgtest.ubuntu.com/packages/s/systemd/xenial/i386/ started
  failing:

  ======================================================================
  FAIL: test_boot (__main__.NspawnTest)
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "/tmp/adt-run.IG1dKn/build.Yzd/systemd-228/debian/tests/boot-and-services", line 204, in test_boot
      self.assertIn(b'fake container started', out)
  AssertionError: b'fake container started' not found in b'Spawning container c1 on /tmp/tmpl04y_tf8/c1.\nPress ^] three times within 1s to kill container.\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to add audit seccomp rule: Bad address\n'

  This is reproducible in xenial-release, i. e. it already slipped
  through -proposed.

  This can be reproduced easily on a xenial i386 VM:

    sudo apt-get install busybox-static
    mkdir -p /tmp/c/sbin /tmp/c/etc /tmp/c/bin/
    cp /bin/busybox /tmp/c/bin/
    ln -s ../bin/busybox /tmp/c/sbin/init
    ln -s busybox /tmp/c/bin/sh
    cp /etc/os-release /tmp/c/etc
    sudo systemd-nspawn -b -D /tmp/c

  This should normally boot a busybox container; you'll get a few error
  messages as there's no SysV init stuff there, but it should start and
  pressing enter should get you into a shell. But on i386 it fails with

  $   sudo systemd-nspawn -b -D /tmp/c
  Spawning container c on /tmp/c.
  Press ^] three times within 1s to kill container.
  Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system
  Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system
  Failed to add audit seccomp rule: Bad address

  which is what the test case fails on too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1526358/+subscriptions

References

[Bug 1526358] [NEW] xenial/i386 regression: nspawn fails with "Failed to add audit seccomp rule: Bad address"
From: Martin Pitt, 2015-12-15