Hi khem, Upstream glibc reject it because the latest docker has supported it[1], and upstream glibc does not backward compatibility with old docker[2]
In order to build Yocto with uninative in old docker, we need this local patch [1] https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594 [https://opengraph.githubassets.com/39826b3fbb1d3173df4f3f7c60083a77b78982520c3e85e8308a1d94b902de16/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594]<https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594> seccomp: add support for "clone3" syscall in default policy · moby/moby@9f6b562<https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594> If no seccomp policy is requested, then the built-in default policy in dockerd applies. This has no rule for "clone3" defined, nor any default errno defined. So when runc receives the con... github.com [2]https://sourceware.org/pipermail/libc-alpha/2021-August/130590.html //Hongxu ________________________________ From: Khem Raj <[email protected]> Sent: Wednesday, February 16, 2022 12:17 AM To: Jia, Hongxu <[email protected]> Cc: [email protected] <[email protected]>; Richard Purdie <[email protected]> Subject: Re: [OE-core] [PATCH v3 1/3] glibc: Upgrade to 2.35 (RFC) [Please note: This e-mail is from an EXTERNAL e-mail address] On Tue, Feb 15, 2022 at 12:25 AM Jia, Hongxu <[email protected]> wrote: > > On 2/9/22 06:53, Khem Raj wrote: > > diff --git > a/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch > > b/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch > deleted file mode 100644 > index 3283dd7ad8a..00000000000 > --- > a/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch > +++ /dev/null > @@ -1,79 +0,0 @@ > -From a8bc44936202692edcd82a48c07d7cf27d6ed8ee Mon Sep 17 00:00:00 2001 > -From: Hongxu Jia <[email protected]> > -Date: Sun, 29 Aug 2021 20:49:16 +0800 > -Subject: [PATCH] fix create thread failed in unprivileged process [BZ #28287] > - > -Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 and > clone3] > -applied, start a unprivileged container (docker run without --privileged), > -it creates a thread failed in container. > - > -In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is defined. If > -__clone3 returns -1 with ENOSYS, fall back to clone or clone2. > - > -As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP, > -CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS > -was specified by an unprivileged process (process without CAP_SYS_ADMIN) > - > -[1] https://man7.org/linux/man-pages/man2/clone3.2.html > - > -So if __clone3 returns -1 with EPERM, fall back to clone or clone2 could > -fix the issue. Here are the test steps: > - > > Hi RP, > > > I found this local patch was removed from glibc, we have to get it back and > regenerate uninative to avoid the thread creation failure in unprivileged > container > I intentionally dropped it since upstream glibc will not accept this patch since its not glibc problem but rather container runtime problem. Can you investigate that path before we reapply it. Maintaining a rejected patch is last thing we want to do. > > //Hongxu
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161763): https://lists.openembedded.org/g/openembedded-core/message/161763 Mute This Topic: https://lists.openembedded.org/mt/89009276/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
