[incident] Alpine 3.20 seccomp issues (arm32v6, arm32v7, i386, riscv64, ppc64le) #16830
Comments
|
Got all my ducks in a row for builds of a newer Docker engine across all the architectures we support and the problem persists. I then recall that BuildKit needs the profile updates too, which might be why we're still seeing it. 🙃 🤞 https://github.com/moby/buildkit/blob/v0.12.5/go.mod#L31 is some semi-random commit between v24 and v25, which does not have any of moby/moby@9e10605 (v26 original merge), moby/moby@7a075ca (v25 backport), moby/moby@f11b55f (v24 backport), or moby/moby@5cc6748 (v23 backport) 😭 The good news is that https://github.com/moby/buildkit/blob/v0.13.2/go.mod#L32 is new enough (v25.0.3 is the version that received the backport). The bad news is that I refactored the way I'm building However, the build I'm still seeing fail is using the default BuildKit-built-into-dockerd (just raw |
|
Oh man, we probably need
|
|
Further confirmed -- started an I also filed a bug against |
|
Ok, in theory, fixes are deployed everywhere now. I'll check back in next week and hopefully everything will be resolved and all these failing Alpine 3.20 builds will be green. 😄 Edit: I guess assuming I'm wrong about BuildKit 0.12 above 🙈 |
|
(Reader: he couldn't resist and he wasn't wrong about BuildKit above, so that's next week's project) |
|
Still seems to be failing on armv6 and v7 |
|
Doing some hacks in my personal build system to get more architectures on The other half I'll have to solve is using the host architecture for determining which BuildKit image to use instead of using the target architecture (which is a disparity we've had for a while that mostly doesn't matter but in this case becomes important since I'm not hacking it with fake entries anymore). Edit: for the curious, that's accomplished via the following sadness (which I eventually hope to move to something that's committed but for now this is it): # TODO implement proper cross-architecture support instead of this stupid hack 😭
jq '
.[].arches[] |=
if any(.tags[]; startswith("tianon/buildkit:")) then
.froms |= map(select(startswith("golang:") | not))
| .parents |= with_entries(select(.key | startswith("golang:") | not))
else . end
' sources.json > sources-hacked.json
( set -x && diff -u sources.json sources-hacked.json ) || :
mv sources-hacked.json sources.json |
Apparently, I've (fortuitously!) forgotten that I didn't actually implement this to that level, and our |
|
In theory, #16856 will finish fixing this (holding off closing this until actual verification though). 🤞 |
|
|
|
This looks like it's settled enough to be closeable. 👍 |
This weekend's Debian stable update included this gem: 🥳 ❤️ |
* `textarea` should grow with input text * Docker buld started failing due to a bad alpine release: docker-library/official-images#16830 <img width="543" alt="image" src="https://github.com/user-attachments/assets/2a3ffa8a-295d-4c73-9ae9-14df7c12c32b">
Many of the builds for the recent Alpine 3.20 based images are currently failing due to a variant of #16829 (although interestingly mostly on less popular architectures such as 32bit x86/arm, riscv64, and ppc64le). We are aware of the issues, and are working on a fix. 👍
The text was updated successfully, but these errors were encountered: