Hi Bernhard Am 05.12.22 um 18:31 schrieb Bernhard Übelacker:
Am 03.12.22 um 23:38 schrieb Bernhard Übelacker:I thought if strace can observe the process in question, would gdb alsobe able. And found starting nspawn with gdbserver, 'set follow-fork-mode child'and gdb from inside the container via plain chroot seems working well.So it looks like the failing "syscall_0x1b7" from strace is "faccessat2" [2].And it seems "faccessat2" got added just in kernel 5.8 [3], therefore it might fail with the kernel 4.19.So I fear this needs a newer kernel, and/or this is more a glibc issue then?Hello, just a few short additions. I was looking further into this issue, and found disabling apparmor by booting the host with "apparmor=0" did not improve the situation.Then I found following entry in the systemd debian package changelog [1][2]:* seccomp: allow turning off of seccomp filtering via env var. Since glibc 2.33 faccessat() is implemented via faccessat2(), which is breaking running containers that use such a version of glibc under systemd-nspawn in Buster.Turning off seccomp filtering via the SYSTEMD_SECCOMP env var makes itpossible to run such new containers. (Closes: #984573) This fits perfectly the situation and the container starts successfully with this workaround:SYSTEMD_SECCOMP=0 systemd-nspawn --directory=/var/lib/machines/test-bookworm --boot
Thanks for the update! I guess this means we can close the bug report? Regards, Michael
OpenPGP_signature
Description: OpenPGP digital signature