Snappy

Seccomp error on recent builds of snappy

Bug #1561920 reported by Renat on 2016-03-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Snappy	Fix Released	Critical	Paolo Pisati
	linux-raspi2 (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

I'm building a new image using recent ubuntu-device-flash from here https://people.canonical.com/~mvo/all-snaps/

+ sudo /home/vagrant/ubuntu-device-flash core rolling --channel edge --enable-ssh --developer-mode --gadget canonical-pi2.canonical --kernel canonical-pi2-linux.canonical --os ubuntu-core.canonical -o snappy-2016-03-25-01-17.img
Determining gadget configuration
5.83 MB / 5.83 MB [===================================] 100.00 % 457.07 KB/s 13s
48.38 MB / 48.38 MB [=================================] 100.00 % 472.46 KB/s 1m44s
Installing canonical-pi2.canonical
5.83 MB / 5.83 MB [===================================] 100.00 % 661.54 KB/s 9s
Installing canonical-pi2-linux.canonical
74.79 MB / 74.79 MB [=================================] 100.00 % 428.40 KB/s 2m58s
Installing ubuntu-core.canonical
48.38 MB / 48.38 MB [=================================] 100.00 % 332.22 KB/s 2m29s
Enabling developer mode...
New image complete
Summary:
Output: snappy-2016-03-25-01-17.img
Architecture: armhf
Channel: edge
Version: 0

and getting this error:

ubuntu@localhost:~$ sudo snappy install hello-world
Installing hello-world
20.00 KB / 20.00 KB [==================================] 100.00 % 116.82 KB/s
Name Date Version Developer
canonical-pi2 2016-03-23 3.2 canonical
canonical-pi2-linux 2016-03-21 4.4.0-1004-raspi2+20160321.17-52 canonical
hello-world 2016-03-11 6.0 canonical
ubuntu-core 2016-03-21 16.04+20160321.17-37 canonical
ubuntu@localhost:~$ hello-world.env
seccomp_load failed with -22
seccomp_load_filters failed with -22. errmsg: Invalid argument

The same error I get when using images from
http://cdimage.ubuntu.com/ubuntu-core/daily-preinstalled/current/

See original description

Tags:

Renat (renat2017) on 2016-03-25

description:	updated
description:	updated

Renat (renat2017) on 2016-03-25

description:

updated

Jamie Strandboge (jdstrand) on 2016-03-25

Changed in snappy:
assignee:	nobody → Jamie Strandboge (jdstrand)

Jamie Strandboge (jdstrand) on 2016-03-25

Changed in snappy:
status:	New → Confirmed
importance:	Undecided → Critical

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-03-25:

Downgrading ubuntu-core-launcher does not fix the issue.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-03-25:

1561920.tar.gz Edit (6.9 KiB, application/x-tar)

This seems to be a problem with the kernel as seccomp is working fine on amd64 and on an armhf porter box in a xenial chroot. Attached is a tarball with the files. Here is the test case:

On an amd64 host and schroot:
(xenial-amd64)$ apt-get install libseccomp-dev
(xenial-amd64)$ apt-cache policy libseccomp2
...
*** 2.2.3-3ubuntu3 500
500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
(xenial-amd64)$ apt-cache policy libseccomp-dev
...
*** 2.2.3-3ubuntu3 500
500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

(xenial-amd64)$ gcc -o test-seccomp test-seccomp.c -lseccomp

(xenial-amd64)$ ./test-seccomp safe.filter /usr/bin/uptime
DEBUG: seccomp_load_filters safe.filter
08:53:09 up 17:38, 0 users, load average: 0.54, 0.47, 0.43

(xenial-amd64)$ cat /proc/version_signature
Ubuntu 4.4.0-13.29-generic 4.4.5

On an armhf porter box:
(xenial-armhf)$ sudo apt-get install libseccomp-dev
...
(xenial-armhf)$ apt-cache policy libseccomp2
...
*** 2.2.3-3ubuntu3 500
500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

(xenial-armhf)$ apt-cache policy libseccomp-dev
...
*** 2.2.3-3ubuntu3 500
500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

(xenial-armhf)$ gcc -o test-seccomp test-seccomp.c -lseccomp

(xenial-armhf)$ ./test-seccomp safe.filter /usr/bin/uptime
DEBUG: seccomp_load_filters safe.filter
13:40:18 up 34 days, 21:38, 0 users, load average: 0.04, 0.12, 0.10

(xenial-armhf)$ cat /proc/version_signature
Ubuntu 3.13.0-5.6-exynos5 3.13.11.4

On rpi2 snappy core image (1561920.tar.gz contains the files used on the armhf porter box):
$ tar -zxvf ./1561920.tar.gz
1561920/
1561920/test-seccomp
1561920/test-seccomp.c
1561920/safe.filter

$ cd 1561920
$ ./test-seccomp safe.filter /usr/bin/uptime
DEBUG: seccomp_load_filters safe.filter
seccomp_load failed with -22
seccomp_load_filters failed with -22

$ cat /proc/version_signature
Ubuntu 4.4.0-1004.5-raspi2 4.4.5

This seems to be a problem with the kernel as seccomp is working fine on amd64 and on an armhf porter box in a xenial chroot. Attached is a tarball with the files. Here is the test case:

On an amd64 host and schroot:
(xenial-amd64)$ apt-get install libseccomp-dev
(xenial-amd64)$ apt-cache policy libseccomp2
...
 *** 2.2.3-3ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
(xenial-amd64)$ apt-cache policy libseccomp-dev
...
 *** 2.2.3-3ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

(xenial-amd64)$ gcc -o test-seccomp test-seccomp.c -lseccomp

(xenial-amd64)$ ./test-seccomp safe.filter /usr/bin/uptime
DEBUG: seccomp_load_filters safe.filter
 08:53:09 up 17:38,  0 users,  load average: 0.54, 0.47, 0.43

(xenial-amd64)$ cat /proc/version_signature 
Ubuntu 4.4.0-13.29-generic 4.4.5

On an armhf porter box:
(xenial-armhf)$ sudo apt-get install libseccomp-dev
...
(xenial-armhf)$ apt-cache policy libseccomp2
...
 *** 2.2.3-3ubuntu3 500
        500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

(xenial-armhf)$ apt-cache policy libseccomp-dev
...
 *** 2.2.3-3ubuntu3 500
        500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

(xenial-armhf)$ gcc -o test-seccomp test-seccomp.c -lseccomp

(xenial-armhf)$ ./test-seccomp safe.filter /usr/bin/uptime
DEBUG: seccomp_load_filters safe.filter
 13:40:18 up 34 days, 21:38,  0 users,  load average: 0.04, 0.12, 0.10

(xenial-armhf)$ cat /proc/version_signature 
Ubuntu 3.13.0-5.6-exynos5 3.13.11.4

On rpi2 snappy core image (1561920.tar.gz contains the files used on the armhf porter box):
$ tar -zxvf ./1561920.tar.gz 
1561920/
1561920/test-seccomp
1561920/test-seccomp.c
1561920/safe.filter

$ cd 1561920
$ ./test-seccomp safe.filter /usr/bin/uptime
DEBUG: seccomp_load_filters safe.filter
seccomp_load failed with -22
seccomp_load_filters failed with -22

$ cat /proc/version_signature 
Ubuntu 4.4.0-1004.5-raspi2 4.4.5

Changed in snappy:
assignee:	Jamie Strandboge (jdstrand) → nobody

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-03-25:

Renat, you said on irc this worked before. What kernel, os and gadget snap were you using before?

Olli Ries (ories) on 2016-03-25

Changed in snappy:
assignee:	nobody → Olli Ries (ories)
assignee:	Olli Ries (ories) → nobody

Oliver Grawert (ogra) on 2016-03-25

Changed in snappy:
assignee:	nobody → Oliver Grawert (ogra)

Revision history for this message

Renat (renat2017) wrote on 2016-03-25:

Jamie, I downgraded our system snaps. Configuration given below works:

canonical-pi2-linux.canonical_4.3.0-1006-6_armhf.snap
ubuntu-core.canonical_16.04+20160321.17-37_armhf.snap
canonical-pi2.canonical_3.0_all.snap # With replaced start.elf and fixup.dat

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-03-25:

With 4.3.0-1006-6 kernel, 3.0 gadget snap and ubuntu-core currently in the store, it works:

$ tar -zxvf ./1561920.tar.gz
1561920/
1561920/test-seccomp
1561920/test-seccomp.c
1561920/safe.filter

$ cd 1561920
$ ./test-seccomp safe.filter /usr/bin/uptime
DEBUG: seccomp_load_filters safe.filter
15:04:35 up 2 min, 1 user, load average: 0.63, 0.31, 0.12

$ cat /proc/version_signature
Ubuntu 4.3.0-1006.6-raspi2 4.3.0

I used this:
sudo ./ubuntu-device-flash core rolling --channel edge --enable-ssh --developer-mode --gadget canonical-pi2.canonical_3.0_all.snap --kernel canonical-pi2-linux.canonical_4.3.0-1006-6_armhf.snap --os ubuntu-core -o snappy-1561920-gadget3.0_kernel4.3.0-1006-6_os20160325.img

canonical-pi2-linux.canonical_4.3.0-1006-6_armhf.snap is https://myapps.developer.ubuntu.com/dev/click-apps/4284/download/rev/5/
canonical-pi2.canonical_3.0_all.snap is https://myapps.developer.ubuntu.com/dev/click-apps/4194/rev/3/

Paolo Pisati (p-pisati) on 2016-03-29

Changed in snappy:
assignee:	Oliver Grawert (ogra) → Paolo Pisati (p-pisati)

Paolo Pisati (p-pisati) on 2016-03-31

Changed in snappy:
status:	Confirmed → Fix Committed

Michael Vogt (mvo) on 2016-04-20

Changed in snappy:
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-20:

This bug was fixed in the package linux-raspi2 - 4.4.0-1009.10

---------------
linux-raspi2 (4.4.0-1009.10) xenial; urgency=low

[ Tim Gardner ]

* Release Tracking Bug
- LP: #1572273

* Rebase against Ubuntu-4.4.0-21.37

-- Tim Gardner <email address hidden> Tue, 19 Apr 2016 12:40:42 -0600

Changed in linux-raspi2 (Ubuntu):
status:	New → Fix Released

Revision history for this message

Tim Gardner (timg-tpi) wrote on 2016-09-06:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial