kernel-tools
kernel-tools copied to clipboard
scaleway
Please enable CONFIG_SECCOMP (again)
Hi Scaleway, #158 requested seccomp be enabled and #161 enabled it, but it appears that change was lost somewhere along the line, as many of the kernel configs today do not enable seccomp:
https://github.com/scaleway/kernel-tools/search?p=2&q=CONFIG_SECCOMP&utf8=%E2%9C%93
I work on Sandstorm.io, and we have now received multiple reports from Scaleway users that Sandstorm apps won't start on their servers. It turns out that this is because seccomp is disabled. We have not encountered any other hosting provider nor distro that disables seccomp. We can tell users to use your "Docker" kernel config to get seccomp, but it's not obvious to them in advance that this is required. It seems to me that the best approach would be to enable it across all kernels.
See extended discussion here: https://github.com/sandstorm-io/sandstorm/issues/1759
Hi @kentonv
We have added SECCOMP for the x86_64 kernels, it will be available in the next release 😊
@QuentinPerez thanks for addressing this so quickly! I don't quite understand the turnaround between this fix having been merged and this becoming generally available in the scaleway control panel. Could you elaborate a bit more on when this is expected to be available to end-users? Thanks!
Hi @patrickod,
Here is our process to release new kernels:
- add/update
.configfiles and patches if needed on https://github.com/scaleway/kernel-tools - trigger a build on https://github.com/scaleway/qa, example: https://github.com/scaleway/qa/pull/560
- Travis builds the new kernel and store it on a temporary store, see https://travis-ci.org/scaleway/qa/builds/123978731 for details
- sync the temporary store on our mirrors: http://mirror.scaleway.com/kernel/
- create new bootscript in database
There are logs for steps 1-3, using GitHub and Travis, but steps 4 and 5 are manual
However, all the kernels were recently updated with this patch, you can switch to a newer bootscript https://www.scaleway.com/docs/bootscript-and-how-to-use-it/
Which kernels should have this fix? I still can't get Sandstorm working on the 4.5.1 Docker kernel and Ubuntu Wily.
Interestingly enough, the failure mode is now different, and whereas before I got seccomp errors in my logs, now I get nothing other than a silent failure. So the failure to launch Sandstorm might not be related to this issue, but something is definitely very badly broken in unexpected ways. I've never had these issues on a variety of hosting providers. Unfortunately I'm out of time to debug for the day, but the issue can be easily duplicated by installing Sandstorm on a vanilla Ubuntu server, attempting to run an app and watching it fail. The Sandstorm folks have great docs for that process.
Thanks.
Hi @ndarilek,
I installed Sandstrom on our docker image with the kernel 4.5.1 docker, and I have not been able to reproduce your problem
Can you give me more details ?
Hello,
You're right, and I apologize. I've been struggling with this and other Scaleway issues all day yesterday to perform tasks I assumed would be easy, and I just assumed this wouldn't work because I'm still having Sandstorm issues on my original host. I later independently verified that Sandstorm does indeed work on a new server install, so my existing issues aren't general ones. Sorry for jumping the gun like that.