[RFE] Seccomp Notify in Flatcar

[alban]

Current situation

The Seccomp Notify feature was just merged in runc (opencontainers/runc#2682) and it is not yet available in Flatcar

Impact

• We cannot run containers with a Seccomp Profile that uses the Seccomp Notify feature.
• We cannot use https://github.com/kinvolk/seccompagent on Flatcar

Ideal future situation

Flatcar can run containers with Seccomp Profiles that uses of the Seccomp Notify feature.

**Implementation options

• Wait for runc 1.1.0 or cherry-pick runc PR #2682. A backport for runc 1.0 is already created, we can easily backport this to other runc patch releases if needed.
• Wait for a new docker version 21.xx or cherry-pick moby PR #42604. Note this patch should also be simple to backport.
• If we are backporting changes to docker 20.10, we would also need to update the vendor of runtime-spec so it includes OCI runtime-spec PR #1074
• Update containerd to v1.5.5 so it vendors OCI runtime-spec PR #1074. --> Already present in 2969.0.0
• Update libseccomp to 2.5.2 to get a fix related to the notify feature, necessary if it is built against Linux headers >= v5.9 (which Flatcar has). See:
  • seccomp/libseccomp@b926e5a
  • torvalds/linux@47e33c05f9f0

Additional information

cc @rata @mauriciovasquezbernal

[dongsupark]

As for linux-headers, all channels of Flatcar have actually linux-headers 5.8 or older.
We should update it to >= 5.10, as most Kernels are 5.10.

[jepio]

@rata @alban
I built a torcx package for upstream docker components (from current master branch), runc is statically linked against libseccomp 2.5.2. You can try it out using the following ignition yaml snippet:

ignition:
  config:
    append:
    - source: "https://raw.githubusercontent.com/jepio/torcx-docker-upstream/main/config.json"
      verification:
        hash:
          function: sha512
          sum: 24cb90dde3ca9795918cd3fdb377632fec2c2615666c654f1b3341cb703ba0edea4e4a308dc4af87d649dbfe53790c0c7569f213b99c0c5cfd69bda8ad15ee04

This might let you proceed with your demo/testing, let me know whether it actually works.

[alban]

Runc 1.1.0 is released:

https://github.com/opencontainers/runc/releases/tag/v1.1.0

[rata]

I guess what is missing here to use with containerd is libseccomp 2.5.2?

[jepio]

Is the strictly necessary? The linked libseccomp commit says

If libseccomp is built against kernel headers after this commit but is run on a kernel that was built prior to this commit, then the ioctl will always return -1 EINVAL and thus seccomp_notify_id_valid will incorrectly return -ENOENT.

We have both kernel and kernel-headers built from sources after this commit, so this does not apply.

[rata]

Oh, didn't know that. I guess not, then. Thanks!

[rata]

@jepio one more question, runc 1.1 is included in https://www.flatcar.org/releases/#release-3033.2.1 ? Or is it included in any flatcar release? I'm asking as I want to mention it in a blog post :)

[jepio]

It's included in alpha 3127 https://www.flatcar.org/releases/#alpha-release.

[rata]

Thanks!

[dongsupark]

Flatcar already has runc 1.1, which is already statically linked to libseccomp 2.5.2+.
Done.