"operation not permitted", a `libseccomp` story

[yosifkit]

This issue is to show example errors that happen when dockerd¹ and/or libseccomp[2]² are not up-to-date when using images based on a newer Linux distribution release.

---

TL;DR:
libseccomp lets you configure allowed syscalls for a process. Docker sets a default seccomp profile for all containers such that only certain syscalls are allowed and everything else is blocked (so, newer syscalls that are not yet known to libseccomp or docker are blocked³).

• verify that it is libseccomp by running the image with --security-opt seccomp=unconfined
  • use this only as a test; it is less secure to keep running them "unconfined"
  • learn more: https://docs.docker.com/engine/security/seccomp/
• one fix:
  • update libseccomp and docker on the host running the containers
• one workaround:

  • switch to an older image:

    Many Docker Official Images have tags that reference the Linux distribution and some DOI support two concurrently. Check their Docker Hub description to see which tags are currently maintained.

    for example, if 16 started failing when it moved to Debian Bookworm, then 16-bullseye is a valid workaround until the host can be updated. And similar for 16-alpine and 16-alpine3.19.
    

---

One example is that, on some platforms, tar -xzf file.tar.gz uses fchmodat2 in Alpine 3.20 and fails. This syscall isn't in Docker's seccomp profile until Docker 26.0.0, 25.0.3, 24.0.10, and 23.0.10 (see moby/moby#47341 and linked backports).

example:

+ wget -O memcached.tar.gz [https://memcached.org/files/memcached-1.6.27.tar.gz](https://memcached.org/files/memcached-1.6.27.tar.gz)
Connecting to memcached.org (107.170.231.145:443)
saving to 'memcached.tar.gz'
memcached.tar.gz     100% |********************************| 1161k  0:00:00 ETA
'memcached.tar.gz' saved
+ echo 'baf2e7494e1f62d275ff29a99f270abbdb923f75  memcached.tar.gz'
+ sha1sum -c -
memcached.tar.gz: OK
+ mkdir -p /usr/src/memcached
+ tar -xzf memcached.tar.gz -C /usr/src/memcached '--strip-components=1'
tar: t/sasl: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: t/lib: Cannot change mode to rwxr-xr-x: Operation not permitted
tar: t: Cannot change mode to rwxr-xr-x: Operation not permitted
tar: m4: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: doc/xml2rfc: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: doc: Cannot change mode to rwxr-xr-x: Operation not permitted
...

---

other issues that are also a libseccomp denial:

• Cassandra's amd64 images seem broken starting with 3.11.16 cassandra#274
• statx syscall not working correctly with DinD  docker#119
• make no longer working as expected with Alpine 3.14 based containers golang#378
• runtime/cgo: pthread_create failed: Operation not permitted golang#467
• curl not working in golang:1.20.5 golang#470
• Operation not permitted: AH00480: ap_thread_create: unable to create worker thread httpd#238
• ERROR: child process failed, exited with 51 mongo#606
• Alpine 3.14 make: /bin/sh: Operation not permitted php#1177
• GPG error in php:8.2-fpm after latest retag php#1417
• Docker image for Postgres 14 based on BookWarm is broken somehow postgres#1100
• Yesterdays update is incompatible with concourse  python#634
• python:3.9 - Failed run apt update from the last version of the image python#837
• error: clock_gettime(CLOCK_MONOTONIC, _) failed... rabbitmq#462
• Debian bookworm upgrade renders container unable to start redis/docker-library-redis#365
• ThreadError: can't create Thread: Operation not permitted redmine#307
• Alpine 3.14 images can fail on Docker versions older than 20.10 ruby#351
• Image tag 3.2.2 Thread not permitted ruby#429
• Latest image incompatible with old versions of docker engine ? tomcat#269
• i386 unstable and testing fail. debuerreotype/docker-debian-artifacts#97
• apt update fails on ubuntu:jammy unless --security-opt seccomp=unconfined is specified tianon/docker-brew-ubuntu-core#236

related moby (docker) issues:

• Seccomp blocks install of "libc6" in Ubuntu 20.04 "focal" image on armhf (arm32v7) moby/moby#40734
• seccomp: add support for "clone3" syscall in default policy moby/moby#42681

---

¹ runc and containerd should be up-to-date as well but are usually included as a dependency when updating Docker (engine)

² might even require a newer libseccomp[2] package than your distribution/release currently includes, such as needing 2.5.5+ for fchmodat2 (#16830 (comment), https://bugs.debian.org/1071822)

³ newer versions of docker and dependencies are being improved to block known syscalls (EPERM), but newer syscalls should get ENOSYS: moby/moby#42871

[tianon]

To be explicitly clear: this is intended as an informational / reference issue, not a place to discuss more/related issues or as a place to ask for help. Any comments doing so will be hidden (and if it is a recurring problem, we will have to lock the issue, but we'd like to avoid doing that because it stops back-references from showing up here appropriately and those are useful).

As a friendly reminder, if you need help (or are unsure whether this is "the issue" you're seeing), try a dedicated support forum such as the Docker Community Slack, Server Fault, Unix & Linux, or Stack Overflow.