On Tue, Feb 15, 2022 at 6:28 PM Jia, Hongxu <[email protected]> wrote:
> Hi khem, > > Upstream glibc reject it because the latest docker has supported it[1], > and upstream glibc does not backward compatibility with old docker[2] > > In order to build Yocto with uninative in old docker, we need this local > patch > How old is the docker and I assume It’s some distribution needing it ? > > [1] > https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594 > > <https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594> > seccomp: add support for "clone3" syscall in default policy · > moby/moby@9f6b562 > <https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594> > If no seccomp policy is requested, then the built-in default policy in > dockerd applies. This has no rule for "clone3" defined, nor any > default errno defined. So when runc receives the con... > github.com > ** > > [2]https://sourceware.org/pipermail/libc-alpha/2021-August/130590.html > > //Hongxu > ------------------------------ > *From:* Khem Raj <[email protected]> > *Sent:* Wednesday, February 16, 2022 12:17 AM > *To:* Jia, Hongxu <[email protected]> > *Cc:* [email protected] < > [email protected]>; Richard Purdie < > [email protected]> > *Subject:* Re: [OE-core] [PATCH v3 1/3] glibc: Upgrade to 2.35 (RFC) > > [Please note: This e-mail is from an EXTERNAL e-mail address] > > > On Tue, Feb 15, 2022 at 12:25 AM Jia, Hongxu <[email protected]> > wrote: > > > > On 2/9/22 06:53, Khem Raj wrote: > > > > diff --git > a/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch > b/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch > > deleted file mode 100644 > > index 3283dd7ad8a..00000000000 > > --- > a/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch > > +++ /dev/null > > @@ -1,79 +0,0 @@ > > -From a8bc44936202692edcd82a48c07d7cf27d6ed8ee Mon Sep 17 00:00:00 2001 > > -From: Hongxu Jia <[email protected]> > > -Date: Sun, 29 Aug 2021 20:49:16 +0800 > > -Subject: [PATCH] fix create thread failed in unprivileged process [BZ > #28287] > > - > > -Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 and > clone3] > > -applied, start a unprivileged container (docker run without > --privileged), > > -it creates a thread failed in container. > > - > > -In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is > defined. If > > -__clone3 returns -1 with ENOSYS, fall back to clone or clone2. > > - > > -As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP, > > -CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS > > -was specified by an unprivileged process (process without CAP_SYS_ADMIN) > > - > > -[1] https://man7.org/linux/man-pages/man2/clone3.2.html > > - > > -So if __clone3 returns -1 with EPERM, fall back to clone or clone2 could > > -fix the issue. Here are the test steps: > > - > > > > Hi RP, > > > > > > I found this local patch was removed from glibc, we have to get it back > and regenerate uninative to avoid the thread creation failure in > unprivileged container > > > > I intentionally dropped it since upstream glibc will not accept this > patch since its not glibc problem but > rather container runtime problem. Can you investigate that path before > we reapply it. Maintaining a rejected patch is last thing we want to > do. > > > > > //Hongxu >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161767): https://lists.openembedded.org/g/openembedded-core/message/161767 Mute This Topic: https://lists.openembedded.org/mt/89009276/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
