Alpine 3.14 images can fail on Docker versions older than 20.10

[stanhu]

We run a slightly old Container-Optimized OS from Google (13310.1041.24) on thousands of Google N2D machines, and after the latest updates using Alpine v3.14, we noticed all sorts of strange failures:

cos@runner-8a6210b8-gsrm-1625808786-f58c5cbb ~ $ docker run -it ruby:3.0.2-alpine3.13 bundle --version
Bundler version 2.2.22
cos@runner-8a6210b8-gsrm-1625808786-f58c5cbb ~ $ docker run -it ruby:3.0.2-alpine3.14 bundle --version
`/root` is not writable.
Bundler will use `/tmp/bundler20210709-1-4lza5z1' as your home directory temporarily.
Bundler version 2.2.22

cos@runner-8a6210b8-gsrm-1625808786-f58c5cbb ~ $ docker run -it ruby:2.7
irb(main):001:0>
cos@runner-8a6210b8-gsrm-1625808786-f58c5cbb ~ $ docker run -it ruby:2.7-alpine
Traceback (most recent call last):
	6: from /usr/local/bin/irb:23:in `<main>'
	5: from /usr/local/bin/irb:23:in `load'
	4: from /usr/local/lib/ruby/gems/2.7.0/gems/irb-1.2.6/exe/irb:11:in `<top (required)>'
	3: from /usr/local/lib/ruby/2.7.0/irb.rb:393:in `start'
	2: from /usr/local/lib/ruby/2.7.0/irb/init.rb:18:in `setup'
	1: from /usr/local/lib/ruby/2.7.0/irb/init.rb:121:in `init_error'
/usr/local/lib/ruby/2.7.0/irb/locale.rb:121:in `load': No such file to load -- irb/error.rb (LoadError)

cos@runner-8a6210b8-gsrm-1625808786-f58c5cbb ~ $ docker run -it ruby:3.0.2-alpine3.13
irb(main):001:0>
cos@runner-8a6210b8-gsrm-1625808786-f58c5cbb ~ $ docker run -it ruby:3.0.2-alpine3.14
/usr/local/lib/ruby/3.0.0/irb/locale.rb:121:in `load': No such file to load -- irb/error.rb (LoadError)
	from /usr/local/lib/ruby/3.0.0/irb/init.rb:195:in `init_error'
	from /usr/local/lib/ruby/3.0.0/irb/init.rb:18:in `setup'
	from /usr/local/lib/ruby/3.0.0/irb.rb:402:in `start'
	from /usr/local/lib/ruby/gems/3.0.0/gems/irb-1.3.5/exe/irb:11:in `<top (required)>'
	from /usr/local/bin/irb:23:in `load'
	from /usr/local/bin/irb:23:in `<main>'

https://alpinelinux.org/posts/Alpine-3.14.0-released.html mentions:

The faccessat2 syscall has been enabled in musl. This can result in issues on docker hosts with older versions of docker (<20.10.0) and libseccomp (<2.4.4), which blocks this syscall.

Our version:

cos@runner-8a6210b8-gsrm-1625808786-f58c5cbb ~ $ docker --version
Docker version 19.03.9, build 9d98839

Can we rollback the Alpine v3.14 upgrade and make this opt-in instead of the default while we work to upgrade our systems?

I should note this problem did not occur on Google's supported cos-85-13310-1260-2 image:

Related links:

1. https://bugzilla.redhat.com/show_bug.cgi?id=1900021
2. Docker fix: Add openat2 and faccessat2 to default seccomp profile. moby/moby#41353
3. Backport to Docker 19.03.16: [19.03 backport] seccomp profile updates moby/moby#41381

[J0WI]

Can we rollback the Alpine v3.14 upgrade and make this opt-in instead of the default while we work to upgrade our systems?

just use the alpine3.13 tag

[jamesbrooks]

@stanhu thank you for this, I ran into this issue a few hours before this post and was finally at the part of looking at the alpine change as the cause (issues running containers on ECS Fargate) but am glad to see you having the same issue.

I'll use the 3.13 tag as @J0WI suggests.

Thanks!

[stanhu]

just use the alpine3.13 tag

We run a CI service where users can choose any tag, and existing builds that use ruby:2.7-alpine or other builds abruptly have stopped working. We're now trying to upgrade the OS, but this issue seems like it could burn others.

[wglambert]

From another alpine-bug issue docker-library/php#1177 (comment)

The more specific aliases exist specifically to give users an escape hatch to stay on a specific underlying distribution release and control their own consumption and upgrade timing. Just like users using :latest, users using a bare alpine tag should expect some degree of breakage over time, and I don't think there's much we can reasonably do about that.

(This is also the common pattern of usage/tagging across all the official images -- PHP is not unique in this regard.)

I think the only thing unique about this particular bump is that the most common breakage is more disruptive than usual, but there's not really much we can do about that, given it's a change in musl/Alpine itself (https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2).

[simmerz]

We're running into this same issue with Docker 20.10.2 running on Ubuntu LTS. Docker is installed from the Docker ubuntu repo.

Clearly rolling down to 3.13 "solves" things, but these seem like broken 3.14 images to me.

EDIT: Resolved by upgrading docker-ce to 20.10.7.

[morgoth]

The same problem with alpine 3.14 on Fargate.
@jamesbrooks If you find a way to use the 3.14 on Fargate, please let us know.

[samnang]

This problem happens to me on AWS Fargate (1.4) with ruby:2.7-alpine (1.14). It works when downgraded to ruby:2.7-alpine3.13.