Podman on Ubuntu 18.04 fails with seccomp error

[adrianreber]

I installed Podman on Ubuntu 18.04 using following link

https://software.opensuse.org//download.html?project=devel%3Akubic%3Alibcontainers%3Astable&package=podman

This gives me podman 1.6.4~1 but starting a container gives me following error:

# podman run --name cr -d docker.io/library/alpine /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
Error: loading seccomp profile (/etc/crio/seccomp.json) failed: Seccomp not supported on this platform

I have the default kernel that came with the installation: 4.15.0-72-generic.

I have seen the same error using Podman on a Travis based system.

# podman info
host:
  BuildahVersion: 1.12.0-dev
  CgroupVersion: v1
  Conmon:
    package: 'conmon: /usr/libexec/podman/conmon'
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.8, commit: d35534bc4b9bc722bf1ab6f4e828fcaa6bee236a-dirty'
  Distribution:
    distribution: ubuntu
    version: "18.04"
  MemFree: 1491496960
  MemTotal: 2086400000
  OCIRuntime:
    name: runc
    package: 'cri-o-runc: /usr/bin/runc'
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 4294832128
  SwapTotal: 4294832128
  arch: amd64
  cpus: 4
  eventlogger: journald
  hostname: ubuntu01
  kernel: 4.15.0-72-generic
  os: linux
  rootless: false
  uptime: 7m 22.07s
registries:
  blocked: null
  insecure: null
  search: null
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions: {}
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 2
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

[alitvak69]

I reproduced it in my test environment. The same container runs on 1.6.2 installed from ppa

[alitvak69]

I could run the same container with --security-opt=seccomp=unconfined. Was SELinux enabled during the build?

[rhatdan]

--security-opt=seccomp=unconfined has nothing to do with SELinux. This is disabling seccomp.json rules.

[alitvak69]

@rhatdan understood. I do see podman built with libseccomp and so is cri-o-runc.

According to dsc:
podman 1.6.4:
Build-Depends: debhelper (>= 9), libassuan-dev, libgpgme11-dev, libseccomp-dev, libsystemd-dev, dh-golang, golang, libglib2.0-dev, go-md2man, git
cri-o-runc 1.0.0-3:
Build-Depends: debhelper (>= 9), dh-golang, golang, go-md2man, libapparmor-dev, protobuf-compiler, libseccomp-dev, rsync, pkg-config

On my test box I have:
libseccomp2:amd64 2.4.1-0ubuntu0.18.04.2

[alitvak69]

I may be mistaken but seccomp was not enabled on the podman build (seccomp tag is missing)

[ 169s] GOPATH=/usr/src/packages/BUILD GO111MODULE=off /usr/bin/go build -tags 'apparmor exclude_graphdriver_devicemapper exclude_graphdriver_btrfs systemd varlink' -ldflags '"-X main.buildInfo=1576703795"' -o bin/podman github.com/containers/libpod/cmd/podman [ 253s] GOPATH=/usr/src/packages/BUILD GO111MODULE=off /usr/bin/go build -tags 'apparmor exclude_graphdriver_devicemapper exclude_graphdriver_btrfs systemd varlink remoteclient' -ldflags '"-X main.buildInfo=1576703795"' -o bin/podman-remote github.com/containers/libpod/cmd/podman

[alitvak69]

Installation of 1.6.4~2 fixed the problem.