I am using podman-compose [1] to start a simple docker-compose.yml, but instead of booting the containers, it shows this error: cannot configure rootless cgroup using the cgroupfs manager\n/usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: seccomp_init\nsync socket closed: OCI runtime error [1]: https://github.com/containers/podman-compose I can confirm a case of underlinking using plain scanelf and readelf: ❯ readelf -s /usr/lib64/libcrun.so.0 | rg seccomp 176: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_rule_add 177: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_release 178: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_export_bpf 179: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_rule_add_array 180: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_syscall_resolve_n 181: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_arch_add 182: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_arch_resolve_name 183: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_init 271: 00000000000219e0 289 FUNC GLOBAL DEFAULT 11 get_seccomp_operator 557: 0000000000021b10 209 FUNC GLOBAL DEFAULT 11 get_seccomp_action 578: 0000000000021bf0 541 FUNC GLOBAL DEFAULT 11 libcrun_apply_seccomp ❯ scanelf -n /usr/lib64/libcrun.so.0 TYPE NEEDED FILE ET_DYN libc.so.6 /usr/lib64/libcrun.so.0 Portage 2.3.99 (python 3.6.10-final-0, default/linux/amd64/17.1/desktop/plasma/systemd, gcc-9.3.0, glibc-2.30-r8, 5.5.17 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-5.5.17-x86_64-AMD_Ryzen_5_2400G_with_Radeon_Vega_Graphics-with-gentoo-2.7 KiB Mem: 14128296 total, 1185956 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Thu, 16 Apr 2020 17:45:01 +0000 Head commit of repository gentoo: b6b1643b63d91737eb8b2f2d41123bb2491eccbb Head commit of repository flatpak-overlay: 2bcc4b030ff8288683533a84f15777680c8c883e Head commit of repository local: 5c736951ad314c982bd80d3a1fcd4d08a5c6e434 sh bash 5.0_p16 ld GNU gold (Gentoo 2.34 p1 2.34.0) 1.16 ccache version 3.7.9 [disabled] app-shells/bash: 5.0_p16::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.30.2::gentoo dev-lang/python: 2.7.17-r2::gentoo, 3.6.10-r1::gentoo, 3.7.7-r1::gentoo, 3.8.2-r1::gentoo, 3.9.0_alpha5::gentoo dev-util/ccache: 3.7.9::gentoo dev-util/cmake: 3.17.1::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.7::gentoo sys-apps/sandbox: 2.18::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r5::gentoo sys-devel/automake: 1.13.4-r2::gentoo, 1.16.2::gentoo sys-devel/binutils: 2.34::gentoo sys-devel/gcc: 9.3.0::gentoo sys-devel/gcc-config: 2.2.1::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.6::gentoo (virtual/os-headers) sys-libs/glibc: 2.30-r8::gentoo Repositories: gentoo location: /var/cache/portage/gentoo sync-type: rsync sync-uri: rsync://rsync.de.gentoo.org/gentoo-portage priority: -1000 sync-rsync-verify-jobs: 1 sync-rsync-extra-opts: sync-rsync-verify-max-age: 24 sync-rsync-verify-metamanifest: yes flatpak-overlay location: /var/db/repos/flatpak-overlay sync-type: git sync-uri: https://github.com/fosero/flatpak-overlay.git masters: gentoo local location: /var/cache/portage/local sync-type: git sync-uri: https://github.com/devurandom/gentoo-overlay.git masters: gentoo priority: 1000 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-pipe -O2 -march=znver1" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/grs/systems.conf /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.6/conf" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-pipe -O2 -march=znver1" DISTDIR="/var/cache/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildsyspkg cgroup compressdebug config-protect-if-modified distlocks ebuild-locks fakeroot fixlafiles ipc-sandbox merge-sync mount-sandbox multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/ http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/ http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" MAKEOPTS="-j6 -l4" PKGDIR="/var/cache/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/tmp" USE="7z 7zip X a52 aac aacplus aacs acl acpi activities aio alsa amd64 appindicator appstream archive audit avahi ayatana bdplus berkdb blake2 bluetooth bluray bpf branding brotli bs2b btrfs bzip2 cairo caps cdda cddb cdio cdr celt chromaprint cjk clang cli clipboard color-management colord conntrack crypt cups d3d9 dav1d dbus declarative device-mapper dirac djvu dri drm dts dvb dvd dvdr ed25519 editorconfig egl elf emboss encode epub evdev exif faudio fax fbcon fdk ffmpeg fftw filecaps firefox firewalld fish-completion fits flac fontconfig fontforge fortran fribidi gamepad gbm gdal gdbm geoclue geolocation gif git gles2 gmp gnome-online-accounts gnupg google googledrive gpg gps graphicsmagick gstreamer gtk gtk3 gzip harfbuzz hdf5 heif http2 ibus iconv icu idn imlib inotify introspection ipv6 jemalloc jpeg jpeg2k json kde kipi kms kwallet ladspa latex lcms libatomic libglvnd libidn2 libinput libnotify libproxy libsecret libsoxr libtirpc libvirt lm-sensors lrz lv2 lvm lz4 lzma lzo mad mariadb markdown mbim mercurial mjpeg mng mobi modemmanager modplug mp3 mp4 mpeg mplayer mpris mtp multilib mysql ncurses netlink networkmanager nls nptl numa office ofx ogg openal opencl opencv openexr opengl openh264 openmax openmp opus pam pango pcap pch pcre pcre2 pdf pgo phonon pixman pkcs11 pkcs7 plasma pm-utils png policykit postscript ppds prison pulseaudio pwquality python qml qrcode qt5 raw rdp readline redfish samba sasl scanner schroedinger screencast sctp sdl sdl2 seccomp semantic-desktop share smartcard snappy sparse speech speex spell spice ssl startup-notification steamruntime stemmer svg systemd systemtap tbb tcpd teamd telepathy tga theora threads thunderbolt tiff timezone tmux truetype tslib udev udisks uinput unicode unwind upnp upnp-av upower usb utempter v4l v4l2 vaapi vdpau vkd3d vorbis vpx vulkan wasm wavpack wayland webchannel webengine webp widgets wmf woff2 wps x264 x265 xattr xcb xcomposite xinerama xkb xml xmp xrandr xscreensaver xv xvid xwayland xxhash xz yaml zeroconf zeromq zimg zlib zstd" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="glibc" ENLIGHTENMENT_MODULES="*" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="joystick libinput" KERNEL="linux" L10N="de de-DE en en-GB ar fa tr ja ko zh zh-CN zh-TW" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="nlpsolver scripting-javascript wiki-publisher" LIRC_DEVICES="devinput" LLVM_TARGETS="AMDGPU BPF RISCV WebAssembly" LUA_TARGET="lua5-2" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6 pypy pypy3" QEMU_SOFTMMU_TARGETS="riscv32 riscv64 x86_64" QEMU_USER_TARGETS="riscv32 riscv64" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="amdgpu virgl" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= app-emulation/crun-0.10.6::gentoo was built with the following: USE="bpf caps seccomp systemd -doc -static-libs" ABI_X86="(64)" app-emulation/libpod-1.8.2::gentoo was built with the following: USE="btrfs rootless -apparmor (-selinux)" ABI_X86="(64)" LDFLAGS=""
I was able to use dev-util/patchelf to workaround the issue: ❯ sudo patchelf --add-needed libseccomp.so.2 /usr/lib64/libcrun.so.0.0.0 ❯ scanelf -n /usr/lib64/libcrun.so.0 TYPE NEEDED FILE ET_DYN libseccomp.so.2,libc.so.6 /usr/lib64/libcrun.so.0 But I run into the next error: cannot configure rootless cgroup using the cgroupfs manager\n/usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: cap_from_name\nsync socket closed: OCI runtime error This can also be worked around: ❯ readelf -s /usr/lib64/libcap.so.2 | rg cap_from_name 45: 00000000000047c0 43 FUNC GLOBAL DEFAULT 11 cap_from_name ❯ sudo patchelf --add-needed libcap.so.2 /usr/lib64/libcrun.so.0.0.0 ❯ scanelf -n /usr/lib64/libcrun.so.0 TYPE NEEDED FILE ET_DYN libcap.so.2,libseccomp.so.2,libc.so.6 /usr/lib64/libcrun.so.0 Now podman-compose appears to work.
More fun: /usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: sd_bus_default\n{\"msg\":\"sync socket closed\",\"level\":\"error\",\"time\":\"2020-04-16T20:14:10.000071856Z\"}: OCI runtime error Worked around in the same manner: ❯ readelf -s /usr/lib64/libsystemd.so.0.28.0 | rg sd_bus_default 494: 00000000000450b0 41 FUNC GLOBAL DEFAULT 11 sd_bus_default_user@@LIBSYSTEMD_221 580: 0000000000048980 101 FUNC GLOBAL DEFAULT 11 sd_bus_default_flush_clos@@LIBSYSTEMD_227 635: 0000000000045080 41 FUNC GLOBAL DEFAULT 11 sd_bus_default_system@@LIBSYSTEMD_221 663: 00000000000450e0 84 FUNC GLOBAL DEFAULT 11 sd_bus_default@@LIBSYSTEMD_221 ❯ sudo patchelf --add-needed libsystemd.so.0 /usr/lib64/libcrun.so.0.0.0 ❯ scanelf -n /usr/lib64/libcrun.so.0 TYPE NEEDED FILE ET_DYN libsystemd.so.0,libcap.so.2,libseccomp.so.2,libc.so.6 /usr/lib64/libcrun.so.0
The issue persists in version 0.13 (local overlay, cf. https://bugs.gentoo.org/709982).
The issue persists in 0.14.1: ❯ scanelf -n /usr/lib64/libcrun.so.0 TYPE NEEDED FILE ET_DYN libc.so.6 /usr/lib64/libcrun.so.0 ❯ readelf -s /usr/lib64/libcrun.so.0 | rg seccomp 177: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_export_bpf 178: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_rule_add 179: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_rule_add_array 180: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_release 181: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_syscall_resolve_n 182: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_arch_add 183: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_arch_resolve_name 184: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND seccomp_init Bug #737460 appears to be a similar issue of underlinking. Should we reassign this bug to maintainer-needed?
Reproducible also using `buildah run ...`: ++ buildah from docker.io/circleci/php@sha256:92168b0092945ca4dee27564292996cd0f19e3fdedea6b75e83e367eaede598b + php_ct=php-working-container-1 + buildah copy php-working-container-1 ./composer.json /app/ de2935457610cfd2bd673ec5d916c2ba5d256b04e13311cde3e3cdbc162cf564 + buildah copy php-working-container-1 ./composer.lock /app/ 44c4883a8ebfab560dc23e6a04b8847e5f3da16de95951ad4f6bc68ee246d19e + buildah copy php-working-container-1 ./database /app/ 7826a941d5aade1ef26d94aad5434832b22363ccc396f33eada8c3f27140c697 + buildah run php-working-container-1 composer install --ignore-platform-reqs --no-interaction --no-plugins --no-scripts --prefer-dist /usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: seccomp_init 2020-08-30T10:26:31.000687192Z: sync socket closed error running container: error creating container for [/usr/local/bin/composer install --ignore-platform-reqs --no-interaction --no-plugins --no-scripts --prefer-dist]: : exit status 127 error while running runtime: exit status 1 ERRO exit status 1
When running `buildah run --runtime-flag=systemd ...` I get: ``` /usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: sd_bus_default_user ``` Workaround: ❯ sudo patchelf --add-needed libcap.so.2 /usr/lib64/libcrun.so.0.0.0 ❯ sudo patchelf --add-needed libseccomp.so.2 /usr/lib64/libcrun.so.0.0.0 ❯ sudo patchelf --add-needed libsystemd.so.0 /usr/lib64/libcrun.so.0.0.0
Persists with app-emulation/crun-0.15 and app-emulation/libpod-2.2.1. Also reproducible by just running `podman run -ti image /bin/sh`.
Persists with app-emulation/crun-0.18 and app-emulation/podman-3.0.1.
Can confirm this is still an issue on app-emulation/crun-0.19.1 and app-emulation/podman-3.2.1
libcrun_la_LDFLAGS target in Makefile.am seems to be missing $(FOUND_LIBS) adding following phase to ebuild seems to be linking properly: src_prepare() { default sed -i 's@^libcrun_la_LIBADD.*@libcrun_la_LIBADD = libocispec/libocispec.la $(maybe_libyajl.la) $(FOUND_LIBS)@' Makefile.am || die eautoreconf } can someone test it?
It works for me.
*** Bug 737460 has been marked as a duplicate of this bug. ***
Created attachment 728256 [details] env file for crun-0.19.1 temporary workaround: you can place attached file to /etc/portage/env/app-emulation/crun-0.19.1 (as file, not as directory) and re-emerge crun, without editing ebuild, it will apply a fix.
https://github.com/containers/crun/pull/712/files
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bebd123a64235046ab73bb3fed35cb0973fd1857 commit bebd123a64235046ab73bb3fed35cb0973fd1857 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-08-04 09:35:16 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-08-04 09:36:43 +0000 app-emulation/crun: drop 0.18 Closes: https://bugs.gentoo.org/717750 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> app-emulation/crun/Manifest | 1 - app-emulation/crun/crun-0.18.ebuild | 61 ------------------------------------- 2 files changed, 62 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ea780e78b89e07a1c6a50ec069d3cfb68e23a63 commit 1ea780e78b89e07a1c6a50ec069d3cfb68e23a63 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-08-04 09:34:33 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-08-04 09:36:42 +0000 app-emulation/crun: revbump, fix libcrun underlinking. Bug: https://bugs.gentoo.org/717750 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> .../{crun-0.19.1.ebuild => crun-0.19.1-r1.ebuild} | 9 +++++++ app-emulation/crun/files/libcrun-linkage.patch | 29 ++++++++++++++++++++++ 2 files changed, 38 insertions(+)
