Docker和libseccomp
我遇到了docker的问题。 我已经在这里OpenSuse 13.2与一个自build版本的libseccomp库。 这是几个星期前的新鲜版本2.3.1。 如果我正在运行任何docker集装箱,我得到以下错误:
hostname:/usr/lib/docker # docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 78445dd45222: Pull complete Digest: sha256:c5515758d4c5e1e838e9cd307f6c6a0d620b5e07e6f927b07d05f6d12a1ac8d7 Status: Downloaded newer image for hello-world:latest container_linux.go:247: starting container process caused "conditional filtering requires libseccomp version >= 2.2.1" docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "conditional filtering requires libseccomp version >= 2.2.1". ERRO[0002] error getting events from daemon: net/http: request canceled 当然,我可以在启动容器时使用选项–security-opt seccomp:unconfined,但这不是我的目的。
# rpm -qa libseccomp libseccomp-2.3.1-1.x86_64
docker信息:
Containers: 1 Running: 0 Paused: 0 Stopped: 1 Images: 1 Server Version: 1.13.0 Storage Driver: devicemapper Pool Name: docker-254:2-655361-pool Pool Blocksize: 65.54 kB Base Device Size: 10.74 GB Backing Filesystem: ext4 Data file: /dev/loop0 Metadata file: /dev/loop1 Data Space Used: 307.2 MB Data Space Total: 107.4 GB Data Space Available: 20.64 GB Metadata Space Used: 806.9 kB Metadata Space Total: 2.147 GB Metadata Space Available: 2.147 GB Thin Pool Minimum Free Space: 10.74 GB Udev Sync Supported: true Deferred Removal Enabled: false Deferred Deletion Enabled: false Deferred Deleted Device Count: 0 Data loop file: /var/lib/docker/devicemapper/devicemapper/data WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device. Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata Library Version: 1.03.01 (2011-10-15) Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Swarm: inactive Runtimes: oci runc Default Runtime: runc Init Binary: docker-init containerd version: (expected: 03e5862ec0d8d3b3f750e19fca3ee367e13c090e) runc version: N/A (expected: 2f7393a47307a16f8cee44a37b262e8b81021e3e) init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574) Security Options: apparmor seccomp Profile: default Kernel Version: 3.16.7-53-desktop Operating System: openSUSE 13.2 (Harlequin) (x86_64) OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 3.868 GiB Name: hostname ID: DCOH:JZMG:ZUTM:5MSB:DVAG:SQXS:Z36N:5OXU:GQII:YTMO:RWDA:HYBJ Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ WARNING: No swap limit support WARNING: No kernel memory limit support Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
似乎问题可能与runc。 我目前遇到了同样的错误,在Leap 42.1中使用了OBS Virtualization:container repo中的docker&runc。 我的设置运行良好,直到最近一系列软件包更新。
i | runc | package | 0.1.1+gitr2942_2f7393a-33.2 | x86_64 | Virtualization:containers (openSUSE_Leap_42.1) i | docker | package | 1.13.0-182.1 | x86_64 | Virtualization:containers (openSUSE_Leap_42.1)
/ usr / sbin / runc中的string显示:
strings /usr/sbin/runc | grep 2.2.1 [..] conditional filtering requires libseccomp version >= 2.2.1 [..]
进一步下去,更新日志显示:
* Fri Feb 24 2017 - update to docker-1.13.0 requirement * Mon Dec 19 2016 - update runc to the version used in docker 1.12.5 (bsc#1016307).
并且该包的源代码在线299上有Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/seccomp_internal.go :
return fmt.Errorf("conditional filtering requires libseccomp version >= 2.2.1")
看起来现在有一个正式的错误报告,这个问题会影响到几个不同的SUSE版本,它们使用这个repo: