`apk update` attempts mount/umount2 when run with rkt (#7162) · Issues · alpine / apk-tools

`apk update` attempts mount/umount2 when run with rkt

rkt is a container engine similar to Docker, and capable of running Docker images. Like Docker, it enforces seccomp and capability restrictions on system calls.

Alpine Edge has recently broken `apk update` functionality with rkt, as it is issuing (unnecessary) mount/umount2 syscalls which are blocked by seccomp.

$ sudo rkt run --dns 8.8.8.8 --insecure-options image docker://alpine:3.5 --exec /bin/sh -- -c "apk --version && apk update" 
[ 5844.906525] alpine[5]: apk-tools 2.6.8, compiled for x86_64.
[ 5844.908101] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/main/x86_64/APKINDEX.tar.gz
[ 5846.799587] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/community/x86_64/APKINDEX.tar.gz
[ 5847.041904] alpine[5]: v3.5.2-46-gdf4d97eba7 [http://dl-cdn.alpinelinux.org/alpine/v3.5/main]
[ 5847.042149] alpine[5]: v3.5.2-47-ga46d5990dc [http://dl-cdn.alpinelinux.org/alpine/v3.5/community]
[ 5847.042290] alpine[5]: OK: 7959 distinct packages available

$ sudo rkt run --dns 8.8.8.8 --insecure-options image docker://alpine:edge --exec /bin/sh -- -c "apk --version && apk update" 
[ 5851.405934] alpine[5]: apk-tools 2.7.0, compiled for x86_64.
[ 5851.407383] alpine[5]: Bad system call

Please see rkt/rkt#3642 for more detail.

I believe the most likely cause is the revised /proc setup logic.

(from redmine: issue id 7162, created on 2017-04-18, closed on 2019-05-03)

Changesets:
- Revision 7ee47c80 by Timo Teräs on 2017-10-10T08:38:52Z:

db: handle default root correctly for /proc

dbopts->root may be null; use db->root instead

fixes #7162

Revision 97e4d053 by Timo Teräs on 2017-10-10T08:39:38Z:

db: handle default root correctly for /proc

dbopts->root may be null; use db->root instead

fixes #7162

Revision 0e504ac58e35f837c468884de7bd4d5d005acd66 by Timo Teräs on 2017-10-10T10:41:21Z:

main/apk-tools: fix mounting proc (fixes #7162)

[rkt](https://github.com/rkt/rkt) is a container engine similar to
Docker, and capable of running Docker images. Like Docker, it enforces
seccomp and capability restrictions on system calls.

Alpine Edge has recently broken \`apk update\` functionality with rkt,
as it is issuing (unnecessary) mount/umount2 syscalls which are blocked
by seccomp.

$ sudo rkt run --dns 8.8.8.8 --insecure-options image docker://alpine:3.5 --exec /bin/sh -- -c "apk --version && apk update" 
    [ 5844.906525] alpine[5]: apk-tools 2.6.8, compiled for x86_64.
    [ 5844.908101] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/main/x86_64/APKINDEX.tar.gz
    [ 5846.799587] alpine[5]: fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/community/x86_64/APKINDEX.tar.gz
    [ 5847.041904] alpine[5]: v3.5.2-46-gdf4d97eba7 [http://dl-cdn.alpinelinux.org/alpine/v3.5/main]
    [ 5847.042149] alpine[5]: v3.5.2-47-ga46d5990dc [http://dl-cdn.alpinelinux.org/alpine/v3.5/community]
    [ 5847.042290] alpine[5]: OK: 7959 distinct packages available

$ sudo rkt run --dns 8.8.8.8 --insecure-options image docker://alpine:edge --exec /bin/sh -- -c "apk --version && apk update" 
    [ 5851.405934] alpine[5]: apk-tools 2.7.0, compiled for x86_64.
    [ 5851.407383] alpine[5]: Bad system call

Please see [rkt/rkt\#3642](https://github.com/rkt/rkt/issues/3642) for
more detail.

I believe the most likely cause is the revised /proc setup logic.

*(from redmine: issue id 7162, created on 2017-04-18, closed on 2019-05-03)*

* Changesets:
  * Revision 7ee47c808bdda24a658b325f229a2a8b84fe3790 by Timo Teräs on 2017-10-10T08:38:52Z:

```
db: handle default root correctly for /proc

dbopts->root may be null; use db->root instead

fixes #7162
```

* Revision 97e4d0531f2633b54996fc08447bb46449f4a45a by Timo Teräs on 2017-10-10T08:39:38Z:

```
db: handle default root correctly for /proc

dbopts->root may be null; use db->root instead

fixes #7162
```

* Revision 0e504ac58e35f837c468884de7bd4d5d005acd66 by Timo Teräs on 2017-10-10T10:41:21Z:

```
main/apk-tools: fix mounting proc (fixes #7162)
```