rkt is a container engine similar to Docker, and capable of running Docker images. Like Docker, it enforces seccomp and capability restrictions on system calls.

Alpine Edge has recently broken `apk update` functionality with rkt, as it is issuing (unnecessary) mount/umount2 syscalls which are blocked by seccomp.

$ sudo rkt run --dns 8.8.8.8 --insecure-options image docker://alpine:3.5 --exec /bin/sh -- -c "apk --version && apk update" 
[ 5844.906525] alpine[5]: apk-tools 2.6.8, compiled for x86_64.
[ 5844.908101] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/main/x86_64/APKINDEX.tar.gz
[ 5846.799587] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/community/x86_64/APKINDEX.tar.gz
[ 5847.041904] alpine[5]: v3.5.2-46-gdf4d97eba7 [http://dl-cdn.alpinelinux.org/alpine/v3.5/main]
[ 5847.042149] alpine[5]: v3.5.2-47-ga46d5990dc [http://dl-cdn.alpinelinux.org/alpine/v3.5/community]
[ 5847.042290] alpine[5]: OK: 7959 distinct packages available

$ sudo rkt run --dns 8.8.8.8 --insecure-options image docker://alpine:edge --exec /bin/sh -- -c "apk --version && apk update" 
[ 5851.405934] alpine[5]: apk-tools 2.7.0, compiled for x86_64.
[ 5851.407383] alpine[5]: Bad system call

Please see rkt/rkt#3642 for more detail.

I believe the most likely cause is the revised /proc setup logic.

(from redmine: issue id 7162, created on 2017-04-18, closed on 2019-05-03)

• Changesets:
  • Revision 7ee47c80 by Timo Teräs on 2017-10-10T08:38:52Z:

db: handle default root correctly for /proc

dbopts->root may be null; use db->root instead

fixes #7162

• Revision 97e4d053 by Timo Teräs on 2017-10-10T08:39:38Z:

db: handle default root correctly for /proc

dbopts->root may be null; use db->root instead

fixes #7162

• Revision 0e504ac58e35f837c468884de7bd4d5d005acd66 by Timo Teräs on 2017-10-10T10:41:21Z:

main/apk-tools: fix mounting proc (fixes #7162)