Create Task
Maniphest T14136

Heads up: CI might need newer docker to support glibc 2.33
Closed, ResolvedPublic
Actions

Description

I'm not sure which version of Docker and relevant other parts of the system are used for the CI, so I'm writing this just in case.
Tumbleweed has updated glibc to 2.33 now, which makes use of the relatively new faccessat2 syscall, which is only handled properly in newer versions of Docker/podman and libseccomp.
So I suggest to check whether this issue affects the CI as well, before there's a sudden failure on the next image rebuilds.

Some info:

https://github.com/seccomp/libseccomp/issues/314
https://github.com/opencontainers/runc/pull/2750

fvogt created this task.Feb 18 2021, 6:03 PM
Restricted Application added a subscriber: sysadmin. · View Herald TranscriptFeb 18 2021, 6:03 PM
bcooksley added a subscriber: bcooksley.Feb 19 2021, 6:10 PM

Ouch. Looks like the absolutely latest version of Docker is required?

fvogt added a comment.Feb 19 2021, 7:25 PM

According to https://github.com/moby/moby/commit/a18139111d8a203bd211b0861c281ebe77daccd9, anything >= v20.10.0 should do.
Additional issue is that there's a bug in libseccomp (first issue I linked), which broke that if built against a kernel which doesn't have that syscall.
That seems to be the case for Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1914939

bcooksley changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 19 2021, 11:33 PM
bcooksley changed the edit policy from "Custom Policy" to "All Users".
bcooksley added a project: build.kde.org.
bcooksley added a comment.Feb 19 2021, 11:36 PM

Fun. In theory we should be okay, as our version of Docker should be new enough:

Docker version 20.10.3, build 48d30b5

That being said, i'd like to see the libseccomp bug be resolved first just to ensure there are no unexpected edge cases here.

bcooksley closed this task as Resolved.Mar 6 2021, 7:15 PM
bcooksley claimed this task.

I've done some testing this morning and have been unable to reproduce the common failures I could see online (with CMake being unable to find a usable C/C++ compiler, with elfscan dumping core, etc) related to this.

It therefore seems that we should be safe to update and i've started this process.