seccomp: ignore unsupported wait-kill flag probe#5347
Conversation
|
@pacoxu did you also verify this solves the issue on CI somehow? |
There was a problem hiding this comment.
Thanks for the PR! This almost LGTM. If this fixes the issue, I'm fine using this as a quick-fix to release 1.5.1
However, I'd also like to understand how runc is being built in kubernetes CI (not blocking the merge). I guess it is being compiled with an old seccomp headers (< 2.6.0), but run with new headers (>= 2.6.0). Can you confirm this is true?
| if waitKill, err := filter.GetWaitKill(); err != nil { | ||
| return 0, false, fmt.Errorf("unable to fetch SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV bit: %w", err) | ||
| } else if waitKill { | ||
| flags |= uint(C.C_FILTER_FLAG_WAIT_KILLABLE_RECV) | ||
| } | ||
| } | ||
| if !errors.Is(err, unix.EINVAL) { |
There was a problem hiding this comment.
maybe fold it with the err != nil condition?
Signed-off-by: Paco Xu <roollingstone@gmail.com>
This is precisely the situation I aimed to prevent for |
3 participants
See kubernetes/kubernetes#140039.
The logic here was added in #5172.