Skip to content

Seccomp in docker 1.10+ breaks usage of wine in docker build #22296

New issue
New issue
Closed
Closed
Seccomp in docker 1.10+ breaks usage of wine in docker build#22296
Labels
area/security/seccomp
@gerritdrost

Description

@gerritdrost
gerritdrost
opened on Apr 25, 2016

Running wine in a docker build (for example using a Dockerfile) does not work when seccomp is available in the kernel and docker version is >= 1.10.

We use docker for our development environment and simulate a windows dependency using wine so we don't have to run a full-blown Windows VM on every dev-machine. The software runs fine in wine, but our docker image fails to build on machines using Ubuntu 16.04 and docker >= 1.10. Builds still succeed on Arch Linux and docker >= 1.10, because the Arch Linux kernel by default does not have seccomp enabled.

Output of docker version:

Client:
 Version:      1.11.0
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   4dc5990
 Built:        Wed Apr 13 18:43:40 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.0
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   4dc5990
 Built:        Wed Apr 13 18:43:40 2016
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 3
 Running: 0
 Paused: 0
 Stopped: 3
Images: 92
Server Version: 1.11.0
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 126
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: null host bridge
Kernel Version: 4.4.0-21-generic
Operating System: Ubuntu 16.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.797 GiB
Name: foobar-VirtualBox
ID: EV6J:S4NZ:TZH2:R2CC:56GY:RBFX:RUAL:PS3X:CF3K:BBEE:OFRJ:PNNT
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support

Output of uname -a:

Linux foobar-VirtualBox 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Additional environment details (AWS, VirtualBox, physical, etc.):

Encountered on:

  • Physical machine running Ubuntu 16.04 / Docker 1.11
  • Ubuntu 16.04 / Docker 1.11 in a VM in VirtualBox 5.0.18_OSE r106667 (Host: Physical machine running up-to-date Arch Linux).

Steps to reproduce the issue:

  1. Create a Dockerfile using ubuntu 14.04 as base which installs wine and runs a random wine command (e.g. wine cmd.exe)
  2. Wine will fail because of a socket: operation not permitted error
  3. Run a Ubuntu 14.04 docker container using the --security-opt seccomp:unconfined parameter.
  4. Install wine and run wine cmd.exe
  5. It works fine

Describe the results you received:

Wine will not work in a docker build.

Describe the results you expected:

Wine should work in a docker build.

Additional information you deem important (e.g. issue happens only occasionally):

  • Only tested using Ubuntu 14.04 image but I suspect it is a wine-related issue thus should occur in all distros that have seccomp enabled.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/security/seccomp

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions