Differences between seccomp profiles generated via `build` and `profile` commands

Open mtardy opened this issue 3 years ago • 3 comments

trafficstars

Expected Behavior

By reading the documentation of the project, I was expecting that docker-slim profile was running the exact same part of the app that generates the seccomp profile while doing docker-slim build.

Actual Behavior

It seems that it's not the case, I have a concrete example just below that produces two different seccomp profiles and one doesn't work as it prevents the container to start correctly. The one built with docker-slim build seems to work very well, and congratulation on that 😸 ! That's an impressive feature!

Steps to Reproduce the Problem

I was trying something like that:

docker-slim --state-path docker-slim-dir profile --pull nginx:1.21.6-alpine
export IMAGE_ID=$(docker inspect nginx:1.21.6-alpine --format '{{slice .ID 7}}')
export SECCOMP_PATH=docker-slim-dir/.docker-slim-state/images/$IMAGE_ID/artifacts/nginx-seccomp.json
docker run --security-opt seccomp:$SECCOMP_PATH nginx:1.21.6-alpine

And unfortunately you get (like stated by Skybound in the previous answers)

docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: close exec fds: ensure /proc/self/fd is on procfs: operation not permitted: unknown.

But then I took a look at your examples repo and saw that : https://github.com/docker-slim/examples/blob/master/3rdparty/nginx_alpine/slim.sh

And this works perfectly!

docker-slim profile --copy-meta-artifacts . --tag nginx_alpine.slim nginx:1.21.6-alpine
docker run -p 8080:80 --security-opt seccomp=nginx-seccomp.json nginx:1.21.6-alpine

Specifications

Version: linux|Transformer|1.37.5|86fbd29ab3549fa564e87e4770178480cb0542d3|2022-03-21_06:10:20AM
Platform: Linux aqua 5.11.0-49-generic #55-Ubuntu SMP Wed Jan 12 17:36:34 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux