728124 – app-emulation/firecracker with sys-libs/glibc and seccomp : [anonymous-instance:ERROR:src/vmm/src/signal_handler.rs:37] Shutting down VM after intercepting a bad syscall (39).

Bug 728124 - app-emulation/firecracker with sys-libs/glibc and seccomp : [anonymous-instance:ERROR:src/vmm/src/signal_handler.rs:37] Shutting down VM after intercepting a bad syscall (39).

Summary: app-emulation/firecracker with sys-libs/glibc and seccomp : [anonymous-instan...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Mikle Kolyada (RETIRED)

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2020-06-13 13:02 UTC by Sebastian Hamann
Modified:	2020-09-07 18:18 UTC (History)
CC List:	0 users

See Also:	https://github.com/gentoo/gentoo/pull/16219
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Hamann 2020-06-13 13:02:38 UTC

When trying to run upstream's "hello world" VM according to the "Getting started" guide (https://github.com/firecracker-microvm/firecracker/blob/master/docs/getting-started.md#running-firecracker), firecracker terminates with the following error:

[anonymous-instance:ERROR:src/vmm/src/signal_handler.rs:37] Shutting down VM after intercepting a bad syscall (39).

The issue is explained at https://github.com/firecracker-microvm/firecracker/issues/1515
The summary: Firecracker includes an allowlist of necessary syscalls and terminates on any other calls. Glibc uses other syscalls than musl and Firecracker (at least as of v0.21.1) does not have an appropriate list for glibc.

Since app-emulation/firecracker links against glibc (unless the whole system runs on musl), the only workaround seems to be running firecracker without a seccomp filter (--seccomp-level 0). Security-wise this is not desirable.

I believe there are three ways to handle this:
1. Wait for upstream to improve glibc support (or patch the allowlist during build).
2. (Optionally) build app-emulation/firecrack with musl, even on glibc systems. According to bug #615030, this does not seem feasible.
3. Provide a way of installing upsteam's binary releases (app-emulation/firecracker-bin)

I went with the last option and made an ebuild. I'll make a pull request (for the easier review process).

Reproducible: Always

Steps to Reproduce:
1. Use glibc
2. emerge app-emulation/firecracker
3. Run firecracker
4. Use the API to start any VM

Actual Results:
[anonymous-instance:ERROR:src/vmm/src/signal_handler.rs:37] Shutting down VM after intercepting a bad syscall (39).

Expected Results:
The VM runs.

Comment 1 Sebastian Hamann 2020-09-01 18:41:35 UTC

According to the following two issues, firecracker's limited support for glibc is known and accepted:
https://github.com/firecracker-microvm/firecracker/issues/2044
https://github.com/firecracker-microvm/firecracker/issues/2102

My impression is that upstream strongly focuses on musl and the glibc build will not have the same features in the foreseeable future. I think that rules out option 1. above.

Comment 2 Larry the Git Cow gentoo-dev

2020-09-07 18:18:41 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69eb27243a3c16d35dab1ed185ba59dce21ac25a

commit 69eb27243a3c16d35dab1ed185ba59dce21ac25a
Author:     Sebastian Hamann <code@ares-macrotechnology.com>
AuthorDate: 2020-06-13 13:03:52 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-09-07 18:18:33 +0000

    app-emulation/firecracker-bin: new package
    
    Install upsteam's firecracker and jailer binaries (statically linked
    against musl).
    As of version 0.22.0, seccomp filters only work on musl builds.
    
    Closes: https://bugs.gentoo.org/728124
    Signed-off-by: Sebastian Hamann <code@ares-macrotechnology.com>
    Closes: https://github.com/gentoo/gentoo/pull/16219
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-emulation/firecracker-bin/Manifest             |  4 ++
 .../firecracker-bin/firecracker-bin-0.22.0.ebuild  | 82 ++++++++++++++++++++++
 app-emulation/firecracker-bin/metadata.xml         | 12 ++++
 3 files changed, 98 insertions(+)