Docker和libseccomp

Question

我遇到了docker問題。我在這裏得到了OpenSuse 13.2和一個libseccomp庫的自建版本。它是幾個星期前的新版本2.3.1。如果我遇到任何泊塢窗的容器，我得到以下錯誤：

hostname:/usr/lib/docker # docker run hello-world 
Unable to find image 'hello-world:latest' locally 
latest: Pulling from library/hello-world 
78445dd45222: Pull complete 
Digest: sha256:c5515758d4c5e1e838e9cd307f6c6a0d620b5e07e6f927b07d05f6d12a1ac8d7 
Status: Downloaded newer image for hello-world:latest 
container_linux.go:247: starting container process caused "conditional filtering requires libseccomp version >= 2.2.1" 
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "conditional filtering requires libseccomp version >= 2.2.1". 
ERRO[0002] error getting events from daemon: net/http: request canceled 

我當然可以使用一個選項--security-OPT的Seccomp：啓動容器中時不受限制，但是這不是我的目的。

# rpm -qa libseccomp 
libseccomp-2.3.1-1.x86_64 

泊塢窗信息：

Containers: 1 
Running: 0 
Paused: 0 
Stopped: 1 
Images: 1 
Server Version: 1.13.0 
Storage Driver: devicemapper 
Pool Name: docker-254:2-655361-pool 
Pool Blocksize: 65.54 kB 
Base Device Size: 10.74 GB 
Backing Filesystem: ext4 
Data file: /dev/loop0 
Metadata file: /dev/loop1 
Data Space Used: 307.2 MB 
Data Space Total: 107.4 GB 
Data Space Available: 20.64 GB 
Metadata Space Used: 806.9 kB 
Metadata Space Total: 2.147 GB 
Metadata Space Available: 2.147 GB 
Thin Pool Minimum Free Space: 10.74 GB 
Udev Sync Supported: true 
Deferred Removal Enabled: false 
Deferred Deletion Enabled: false 
Deferred Deleted Device Count: 0 
Data loop file: /var/lib/docker/devicemapper/devicemapper/data 
WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device. 
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata 
Library Version: 1.03.01 (2011-10-15) 
Logging Driver: json-file 
Cgroup Driver: cgroupfs 
Plugins: 
Volume: local 
Network: bridge host macvlan null overlay 
Swarm: inactive 
Runtimes: oci runc 
Default Runtime: runc 
Init Binary: docker-init 
containerd version: (expected: 03e5862ec0d8d3b3f750e19fca3ee367e13c090e) 
runc version: N/A (expected: 2f7393a47307a16f8cee44a37b262e8b81021e3e) 
init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574) 
Security Options: 
apparmor 
seccomp 
    Profile: default 
Kernel Version: 3.16.7-53-desktop 
Operating System: openSUSE 13.2 (Harlequin) (x86_64) 
OSType: linux 
Architecture: x86_64 
CPUs: 4 
Total Memory: 3.868 GiB 
Name: hostname 
ID: DCOH:JZMG:ZUTM:5MSB:DVAG:SQXS:Z36N:5OXU:GQII:YTMO:RWDA:HYBJ 
Docker Root Dir: /var/lib/docker 
Debug Mode (client): false 
Debug Mode (server): false 
Registry: https://index.docker.io/v1/ 
WARNING: No swap limit support 
WARNING: No kernel memory limit support 
Experimental: false 
Insecure Registries: 
127.0.0.0/8 
Live Restore Enabled: false 

Answer 1

看來問題可能與runc。我目前遇到同樣的錯誤，在Leap 42.1上使用docker &來自OBS Virtualization：container repo的runc。我的設置運行良好，直到最近一系列軟件包更新。

i | runc | package | 0.1.1+gitr2942_2f7393a-33.2 | x86_64 | Virtualization:containers (openSUSE_Leap_42.1) 
i | docker | package | 1.13.0-182.1    | x86_64 | Virtualization:containers (openSUSE_Leap_42.1) 

弦上的/ usr/sbin目錄/ runc顯示：

strings /usr/sbin/runc | grep 2.2.1 
[..] 
conditional filtering requires libseccomp version >= 2.2.1 
[..] 

進一步下落，更新日誌顯示：

* Fri Feb 24 2017 
- update to docker-1.13.0 requirement 
* Mon Dec 19 2016 
- update runc to the version used in docker 1.12.5 (bsc#1016307). 

而對於該包的源有Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/seccomp_internal.go本上線299：

return fmt.Errorf("conditional filtering requires libseccomp version >= 2.2.1") 

貌似現在有一個官方的bug報告，這個問題會影響使用該回購了幾個不同的SUSE版本：

https://bugzilla.opensuse.org/show_bug.cgi?id=1028639