Docker seccomp issues?

dasunsrule32 · March 21, 2025, 3:45pm

Hello,

I’m having some issues with a DinI (Docker in Incus) setup.

I’ve been troubleshooting the issues and have seemingly narrowed it down to something I need to tweak with seccomp. I’m just not sure what that is and am looking for some help in that regard.

I have a few Incus Containers stood up and they are all running Docker CE 28.0.1 inside of them. They all have host mountpoints back to ZFS datasets. Each containers root is ZFS as well and has been set as zfs.delegate for their volume/dataset although I’m not 100% sure they actually need this at this point.

I’ve enabled the following configs as well:

  security.nesting: "true"
  security.syscalls.intercept.mknod: "true"
  security.syscalls.intercept.setxattr: "true"

Everything is working well with the exception that I’m having some issues with some containers being pulled and installed. The file it chokes on varies.

root@apps2:/opt/stacks/rocketchat# docker compose up -d
[+] Running 12/14
 ✔ mongodb Pulled                                                                                                                     20.5s 
   ✔ 45f335159959 Pull complete                                                                                                       16.4s 
 ⠙ rocketchat [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 646.6MB / 652.9MB Pulling                                                                                 80.1s 
   ✔ 66a3d608f3fa Pull complete                                                                                                        0.9s 
   ✔ 24871bca5b8d Pull complete                                                                                                        3.9s 
   ✔ 1e6e0ecc9e1d Pull complete                                                                                                        4.0s 
   ✔ 2d985417673a Pull complete                                                                                                        4.1s 
   ✔ 729d9a5a7ee6 Pull complete                                                                                                       15.8s 
   ✔ 57a52c1427e8 Pull complete                                                                                                       72.4s 
   ✔ 2dce6b4867c2 Pull complete                                                                                                       76.7s 
   ⠴ 512783b0c37c Extracting      [==================================================>]  25.41kB/25.41kB                              78.6s 
   ✔ b0417b3b3b72 Download complete                                                                                                   10.7s 
   ✔ 195e1f2ca7d3 Download complete                                                                                                   11.3s 
   ✔ 4f4fb700ef54 Download complete                                                                                                   11.1s 
failed to register layer: failed to mknod('/usr/lib/libstdc++fs.a', S_IFCHR, 0): file exists

There is a log entry in /var/logs/incus/apps2/lxc.log when this happens as well:

lxc apps2 20250321152828.607 ERROR    seccomp - ../src/lxc/seccomp.c:seccomp_notify_handler:1555 - No such file or directory - Failed to send seccomp notification

I’ve gone through the production setup guide as well which I realize should be well above my needs.

Key systctl values:

sysctl -a|grep -E 'fs.inotify|fs.aio|keys|vm.max|bpf'
fs.aio-max-nr = 524288
fs.aio-nr = 1
fs.inotify.max_queued_events = 1048576
fs.inotify.max_user_instances = 1048576
fs.inotify.max_user_watches = 1048576
kernel.bpf_stats_enabled = 0
kernel.keys.gc_delay = 300
kernel.keys.maxbytes = 2000000
kernel.keys.maxkeys = 2000
kernel.keys.persistent_keyring_expiry = 259200
kernel.keys.root_maxbytes = 25000000
kernel.keys.root_maxkeys = 1000000
kernel.unprivileged_bpf_disabled = 2
net.core.bpf_jit_enable = 1
net.core.bpf_jit_harden = 0
net.core.bpf_jit_kallsyms = 1
net.core.bpf_jit_limit = 1000000000
vm.max_map_count = 262144

Docker info:

Client: Docker Engine - Community
 Version:    28.0.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.21.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.33.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 10
  Running: 10
  Paused: 0
  Stopped: 0
 Images: 10
 Server Version: 28.0.1
 Storage Driver: overlay2
  Backing Filesystem: zfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 nvidia runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
 runc version: v1.2.4-0-g6c52b3f
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.12.15-production+truenas
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 62.73GiB
 Name: apps2
 ID: 45886574-ef72-43ee-85de-d0750da90054
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

When I disable the default seccomp profile, things work as expected without issue.

raw.lxc: lxc.seccomp.profile =

Success with it disabled:

root@apps2:/opt/stacks/rocketchat# docker compose up -d
[+] Running 14/14
 ✔ rocketchat Pulled                                                                                                                  73.7s 
   ✔ 66a3d608f3fa Pull complete                                                                                                        1.1s 
   ✔ 24871bca5b8d Pull complete                                                                                                        3.6s 
   ✔ 1e6e0ecc9e1d Pull complete                                                                                                        3.7s 
   ✔ 2d985417673a Pull complete                                                                                                        3.8s 
   ✔ 729d9a5a7ee6 Pull complete                                                                                                       13.2s 
   ✔ 57a52c1427e8 Pull complete                                                                                                       68.1s 
   ✔ 2dce6b4867c2 Pull complete                                                                                                       71.4s 
   ✔ 512783b0c37c Pull complete                                                                                                       71.5s 
   ✔ b0417b3b3b72 Pull complete                                                                                                       71.7s 
   ✔ 195e1f2ca7d3 Pull complete                                                                                                       71.9s 
   ✔ 4f4fb700ef54 Pull complete                                                                                                       72.0s 
 ✔ mongodb Pulled                                                                                                                     18.4s 
   ✔ 45f335159959 Pull complete                                                                                                       13.3s 
[+] Running 3/3
 ✔ Network rocketchat_default         Created                                                                                          0.1s 
 ✔ Container rocketchat-mongodb-1     Started                                                                                          7.0s 
 ✔ Container rocketchat-rocketchat-1  Started                                                                                          4.9s

Thank you in advance for the assistance.

osch · March 24, 2025, 3:47am

What is the base OS you have installed on your host?

For example I run into some ZFS issues on my TrueNAS 24.04 basic install and Incus on top (yeah I know not supported etc.) After a lot of try and error I finally performed the same install on plain Bookworm with ZFS and couldn’t reproduce it…

Long story short is that IX Systems and properly other vendors customised ZFS for their needs in a way that it breaks main stream ZFS features Incus relies on to work properly. I wouldn’t be surprised if this might be the case here to.

Properly a good idea to setup a VM with a different OS and see if it is reproduce able to rule out any custom code changes.

dasunsrule32 · March 24, 2025, 2:10pm

This is TrueNAS 25.04. It happens on every Incus Container I spin up on the host OS. I’m assuming it’s some sysctl value that needs tweaked, but I could be wrong.

Again, when disabling seccomp, it works fine. I’m just not sure where to begin troubleshooting the issue.

Thank you for the reply.

osch · March 25, 2025, 2:33am

Understand, as mentioned I would suggest spinning up a plain Bookworm VM and run the same tests or use a spare bare metal system. Just to rule out any customized issues…

dasunsrule32 · March 25, 2025, 2:31pm

Docker apparently needs bpf, add_key, and keyctl. bpf is easy to set with security.syscalls.intercept.bpf. Are you familiar with the following config? I’m attempting to set those.

security.syscalls.allow

When setting:

  security.syscalls.allow: |-
    add_key
    keyctl

Instances don’t boot when those are set, not getting a lot of logs either.

lxc apps2 20250325142713.618 ERROR    sync - ../src/lxc/sync.c:sync_wake:47 - Broken pipe - Sync wake failure
lxc apps2 20250325142713.627 WARN     network - ../src/lxc/network.c:lxc_delete_network_priv:3631 - Failed to rename interface with index 0 from "eth0" to its initial name "veth5fd472f7"
lxc apps2 20250325142713.627 ERROR    lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:878 - Received container state "ABORTING" instead of "RUNNING"
lxc apps2 20250325142713.627 ERROR    start - ../src/lxc/start.c:__lxc_start:2107 - Failed to spawn container "apps2"
lxc apps2 20250325142713.628 WARN     start - ../src/lxc/start.c:lxc_abort:1036 - No such process - Failed to send SIGKILL via pidfd 17 for process 1367947
lxc 20250325142713.775 ERROR    af_unix - ../src/lxc/af_unix.c:lxc_abstract_unix_recv_fds_iov:218 - Connection reset by peer - Failed to receive response
lxc 20250325142713.775 ERROR    commands - ../src/lxc/commands.c:lxc_cmd_rsp_recv_fds:128 - Failed to receive file descriptors for command "get_init_pid"

Relevant dmesg output:

[334228.676793] br5: port 3(veth71485934) entered blocking state
[334228.676800] br5: port 3(veth71485934) entered disabled state
[334228.676824] veth71485934: entered allmulticast mode
[334228.676887] veth71485934: entered promiscuous mode
[334228.864776] physb5cEMr: renamed from veth5fd472f7
[334228.865533] eth0: renamed from physb5cEMr
[334228.865780] br5: port 3(veth71485934) entered blocking state
[334228.865785] br5: port 3(veth71485934) entered listening state
[334229.838668] veth71485934: left allmulticast mode
[334229.838673] veth71485934: left promiscuous mode
[334229.838701] br5: port 3(veth71485934) entered disabled state

Incus Security Policies
Kernel Syscalls