Bug 717750

Summary:	app-emulation/crun-0.18 with app-emulation/podman-3.0.1 and app-emulation/buildah-1.19.6 - /usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: seccomp_init
Product:	Gentoo Linux	Reporter:	Dennis Schridde <dschridde+gentoobugs>
Component:	Current packages	Assignee:	robertgzr <robert>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gyakovlev, jeffrey, jstein, proxy-maint, sam, sebasmagri
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/containers/crun/issues/711
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=737460
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	env file for crun-0.19.1

Description Dennis Schridde 2020-04-16 19:49:58 UTC

I am using podman-compose [1] to start a simple docker-compose.yml, but instead of booting the containers, it shows this error:

cannot configure rootless cgroup using the cgroupfs manager\n/usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: seccomp_init\nsync socket closed: OCI runtime error

[1]: https://github.com/containers/podman-compose

I can confirm a case of underlinking using plain scanelf and readelf:

❯ readelf -s /usr/lib64/libcrun.so.0 | rg seccomp
   176: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_rule_add
   177: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_release
   178: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_export_bpf
   179: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_rule_add_array
   180: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_syscall_resolve_n
   181: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_arch_add
   182: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_arch_resolve_name
   183: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_init
   271: 00000000000219e0   289 FUNC    GLOBAL DEFAULT   11 get_seccomp_operator
   557: 0000000000021b10   209 FUNC    GLOBAL DEFAULT   11 get_seccomp_action
   578: 0000000000021bf0   541 FUNC    GLOBAL DEFAULT   11 libcrun_apply_seccomp

❯ scanelf -n /usr/lib64/libcrun.so.0
 TYPE   NEEDED FILE
ET_DYN libc.so.6 /usr/lib64/libcrun.so.0

Portage 2.3.99 (python 3.6.10-final-0, default/linux/amd64/17.1/desktop/plasma/systemd, gcc-9.3.0, glibc-2.30-r8, 5.5.17 x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-5.5.17-x86_64-AMD_Ryzen_5_2400G_with_Radeon_Vega_Graphics-with-gentoo-2.7
KiB Mem:    14128296 total,   1185956 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Thu, 16 Apr 2020 17:45:01 +0000
Head commit of repository gentoo: b6b1643b63d91737eb8b2f2d41123bb2491eccbb
Head commit of repository flatpak-overlay: 2bcc4b030ff8288683533a84f15777680c8c883e

Head commit of repository local: 5c736951ad314c982bd80d3a1fcd4d08a5c6e434

sh bash 5.0_p16
ld GNU gold (Gentoo 2.34 p1 2.34.0) 1.16
ccache version 3.7.9 [disabled]
app-shells/bash:          5.0_p16::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.30.2::gentoo
dev-lang/python:          2.7.17-r2::gentoo, 3.6.10-r1::gentoo, 3.7.7-r1::gentoo, 3.8.2-r1::gentoo, 3.9.0_alpha5::gentoo
dev-util/ccache:          3.7.9::gentoo
dev-util/cmake:           3.17.1::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.7::gentoo
sys-apps/sandbox:         2.18::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r5::gentoo
sys-devel/automake:       1.13.4-r2::gentoo, 1.16.2::gentoo
sys-devel/binutils:       2.34::gentoo
sys-devel/gcc:            9.3.0::gentoo
sys-devel/gcc-config:     2.2.1::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.3::gentoo
sys-kernel/linux-headers: 5.6::gentoo (virtual/os-headers)
sys-libs/glibc:           2.30-r8::gentoo
Repositories:

gentoo
    location: /var/cache/portage/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.de.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-verify-jobs: 1
    sync-rsync-extra-opts: 
    sync-rsync-verify-max-age: 24
    sync-rsync-verify-metamanifest: yes

flatpak-overlay
    location: /var/db/repos/flatpak-overlay
    sync-type: git
    sync-uri: https://github.com/fosero/flatpak-overlay.git
    masters: gentoo

local
    location: /var/cache/portage/local
    sync-type: git
    sync-uri: https://github.com/devurandom/gentoo-overlay.git
    masters: gentoo
    priority: 1000

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-pipe -O2 -march=znver1"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /etc/grs/systems.conf /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.6/conf"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-pipe -O2 -march=znver1"
DISTDIR="/var/cache/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildsyspkg cgroup compressdebug config-protect-if-modified distlocks ebuild-locks fakeroot fixlafiles ipc-sandbox merge-sync mount-sandbox multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/ http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/ http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
MAKEOPTS="-j6 -l4"
PKGDIR="/var/cache/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/tmp"
USE="7z 7zip X a52 aac aacplus aacs acl acpi activities aio alsa amd64 appindicator appstream archive audit avahi ayatana bdplus berkdb blake2 bluetooth bluray bpf branding brotli bs2b btrfs bzip2 cairo caps cdda cddb cdio cdr celt chromaprint cjk clang cli clipboard color-management colord conntrack crypt cups d3d9 dav1d dbus declarative device-mapper dirac djvu dri drm dts dvb dvd dvdr ed25519 editorconfig egl elf emboss encode epub evdev exif faudio fax fbcon fdk ffmpeg fftw filecaps firefox firewalld fish-completion fits flac fontconfig fontforge fortran fribidi gamepad gbm gdal gdbm geoclue geolocation gif git gles2 gmp gnome-online-accounts gnupg google googledrive gpg gps graphicsmagick gstreamer gtk gtk3 gzip harfbuzz hdf5 heif http2 ibus iconv icu idn imlib inotify introspection ipv6 jemalloc jpeg jpeg2k json kde kipi kms kwallet ladspa latex lcms libatomic libglvnd libidn2 libinput libnotify libproxy libsecret libsoxr libtirpc libvirt lm-sensors lrz lv2 lvm lz4 lzma lzo mad mariadb markdown mbim mercurial mjpeg mng mobi modemmanager modplug mp3 mp4 mpeg mplayer mpris mtp multilib mysql ncurses netlink networkmanager nls nptl numa office ofx ogg openal opencl opencv openexr opengl openh264 openmax openmp opus pam pango pcap pch pcre pcre2 pdf pgo phonon pixman pkcs11 pkcs7 plasma pm-utils png policykit postscript ppds prison pulseaudio pwquality python qml qrcode qt5 raw rdp readline redfish samba sasl scanner schroedinger screencast sctp sdl sdl2 seccomp semantic-desktop share smartcard snappy sparse speech speex spell spice ssl startup-notification steamruntime stemmer svg systemd systemtap tbb tcpd teamd telepathy tga theora threads thunderbolt tiff timezone tmux truetype tslib udev udisks uinput unicode unwind upnp upnp-av upower usb utempter v4l v4l2 vaapi vdpau vkd3d vorbis vpx vulkan wasm wavpack wayland webchannel webengine webp widgets wmf woff2 wps x264 x265 xattr xcb xcomposite xinerama xkb xml xmp xrandr xscreensaver xv xvid xwayland xxhash xz yaml zeroconf zeromq zimg zlib zstd" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="glibc" ENLIGHTENMENT_MODULES="*" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="joystick libinput" KERNEL="linux" L10N="de de-DE en en-GB ar fa tr ja ko zh zh-CN zh-TW" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="nlpsolver scripting-javascript wiki-publisher" LIRC_DEVICES="devinput" LLVM_TARGETS="AMDGPU BPF RISCV WebAssembly" LUA_TARGET="lua5-2" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6 pypy pypy3" QEMU_SOFTMMU_TARGETS="riscv32 riscv64 x86_64" QEMU_USER_TARGETS="riscv32 riscv64" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="amdgpu virgl" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

app-emulation/crun-0.10.6::gentoo was built with the following:
USE="bpf caps seccomp systemd -doc -static-libs" ABI_X86="(64)"


app-emulation/libpod-1.8.2::gentoo was built with the following:
USE="btrfs rootless -apparmor (-selinux)" ABI_X86="(64)"
LDFLAGS=""

Comment 1 Dennis Schridde 2020-04-16 19:59:36 UTC

I was able to use dev-util/patchelf to workaround the issue:

❯ sudo patchelf --add-needed libseccomp.so.2 /usr/lib64/libcrun.so.0.0.0

❯ scanelf -n /usr/lib64/libcrun.so.0
 TYPE   NEEDED FILE
ET_DYN libseccomp.so.2,libc.so.6 /usr/lib64/libcrun.so.0

But I run into the next error:

cannot configure rootless cgroup using the cgroupfs manager\n/usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: cap_from_name\nsync socket closed: OCI runtime error


This can also be worked around:

❯ readelf -s /usr/lib64/libcap.so.2 | rg cap_from_name
    45: 00000000000047c0    43 FUNC    GLOBAL DEFAULT   11 cap_from_name

❯ sudo patchelf --add-needed libcap.so.2 /usr/lib64/libcrun.so.0.0.0

❯ scanelf -n /usr/lib64/libcrun.so.0
 TYPE   NEEDED FILE
ET_DYN libcap.so.2,libseccomp.so.2,libc.so.6 /usr/lib64/libcrun.so.0


Now podman-compose appears to work.

Comment 2 Dennis Schridde 2020-04-16 20:27:03 UTC

More fun:

/usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: sd_bus_default\n{\"msg\":\"sync socket closed\",\"level\":\"error\",\"time\":\"2020-04-16T20:14:10.000071856Z\"}: OCI runtime error

Worked around in the same manner:

❯ readelf -s /usr/lib64/libsystemd.so.0.28.0 | rg sd_bus_default
   494: 00000000000450b0    41 FUNC    GLOBAL DEFAULT   11 sd_bus_default_user@@LIBSYSTEMD_221
   580: 0000000000048980   101 FUNC    GLOBAL DEFAULT   11 sd_bus_default_flush_clos@@LIBSYSTEMD_227
   635: 0000000000045080    41 FUNC    GLOBAL DEFAULT   11 sd_bus_default_system@@LIBSYSTEMD_221
   663: 00000000000450e0    84 FUNC    GLOBAL DEFAULT   11 sd_bus_default@@LIBSYSTEMD_221

❯ sudo patchelf --add-needed libsystemd.so.0 /usr/lib64/libcrun.so.0.0.0

❯ scanelf -n /usr/lib64/libcrun.so.0
 TYPE   NEEDED FILE
ET_DYN libsystemd.so.0,libcap.so.2,libseccomp.so.2,libc.so.6 /usr/lib64/libcrun.so.0

Comment 3 Dennis Schridde 2020-04-21 07:56:25 UTC

The issue persists in version 0.13 (local overlay, cf. https://bugs.gentoo.org/709982).

Comment 4 Dennis Schridde 2020-08-30 10:22:46 UTC

The issue persists in 0.14.1:

❯ scanelf -n /usr/lib64/libcrun.so.0
 TYPE   NEEDED FILE
ET_DYN libc.so.6 /usr/lib64/libcrun.so.0

❯ readelf -s /usr/lib64/libcrun.so.0 | rg seccomp
   177: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_export_bpf
   178: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_rule_add
   179: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_rule_add_array
   180: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_release
   181: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_syscall_resolve_n
   182: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_arch_add
   183: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_arch_resolve_name
   184: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND seccomp_init


Bug #737460 appears to be a similar issue of underlinking.  Should we reassign this bug to maintainer-needed?

Comment 5 Dennis Schridde 2020-08-30 10:27:34 UTC

Reproducible also using `buildah run ...`:

++ buildah from docker.io/circleci/php@sha256:92168b0092945ca4dee27564292996cd0f19e3fdedea6b75e83e367eaede598b
+ php_ct=php-working-container-1
+ buildah copy php-working-container-1 ./composer.json /app/
de2935457610cfd2bd673ec5d916c2ba5d256b04e13311cde3e3cdbc162cf564
+ buildah copy php-working-container-1 ./composer.lock /app/
44c4883a8ebfab560dc23e6a04b8847e5f3da16de95951ad4f6bc68ee246d19e
+ buildah copy php-working-container-1 ./database /app/
7826a941d5aade1ef26d94aad5434832b22363ccc396f33eada8c3f27140c697
+ buildah run php-working-container-1 composer install --ignore-platform-reqs --no-interaction --no-plugins --no-scripts --prefer-dist
/usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: seccomp_init
2020-08-30T10:26:31.000687192Z: sync socket closed
error running container: error creating container for [/usr/local/bin/composer install --ignore-platform-reqs --no-interaction --no-plugins --no-scripts --prefer-dist]: : exit status 127
error while running runtime: exit status 1
ERRO exit status 1

Comment 6 Dennis Schridde 2020-08-30 11:13:33 UTC

When running `buildah run --runtime-flag=systemd ...` I get:
```
/usr/bin/crun: symbol lookup error: /usr/lib64/libcrun.so.0: undefined symbol: sd_bus_default_user
```

Workaround:

❯ sudo patchelf --add-needed libcap.so.2 /usr/lib64/libcrun.so.0.0.0
❯ sudo patchelf --add-needed libseccomp.so.2 /usr/lib64/libcrun.so.0.0.0
❯ sudo patchelf --add-needed libsystemd.so.0 /usr/lib64/libcrun.so.0.0.0

Comment 7 Dennis Schridde 2021-01-06 16:15:49 UTC

Persists with app-emulation/crun-0.15 and app-emulation/libpod-2.2.1.  Also reproducible by just running `podman run -ti image /bin/sh`.

Comment 8 Dennis Schridde 2021-04-17 17:35:56 UTC

Persists with app-emulation/crun-0.18 and app-emulation/podman-3.0.1.

Comment 9 Sebastián Magrí 2021-07-22 08:16:04 UTC

Can confirm this is still an issue on app-emulation/crun-0.19.1 and app-emulation/podman-3.2.1

Comment 10 Georgy Yakovlev archtester

2021-07-22 08:56:28 UTC

libcrun_la_LDFLAGS target in Makefile.am seems to be missing $(FOUND_LIBS)

adding following phase to ebuild seems to be linking properly:

src_prepare() {
    default
    sed -i 's@^libcrun_la_LIBADD.*@libcrun_la_LIBADD = libocispec/libocispec.la $(maybe_libyajl.la) $(FOUND_LIBS)@' Makefile.am || die
    eautoreconf
}

can someone test it?

Comment 11 Sebastián Magrí 2021-07-22 09:07:19 UTC

It works for me.

Comment 12 Georgy Yakovlev archtester

2021-07-30 11:48:04 UTC

*** Bug 737460 has been marked as a duplicate of this bug. ***

Comment 13 Georgy Yakovlev archtester

2021-07-30 11:51:29 UTC

Created attachment 728256 [details]
env file for crun-0.19.1

temporary workaround:

you can place attached file to

/etc/portage/env/app-emulation/crun-0.19.1  (as file, not as directory)


and re-emerge crun, without editing ebuild, it will apply a fix.

Comment 14 Georgy Yakovlev archtester

2021-08-02 10:57:29 UTC

https://github.com/containers/crun/pull/712/files

Comment 15 Larry the Git Cow gentoo-dev

2021-08-04 09:36:57 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bebd123a64235046ab73bb3fed35cb0973fd1857

commit bebd123a64235046ab73bb3fed35cb0973fd1857
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-08-04 09:35:16 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-08-04 09:36:43 +0000

    app-emulation/crun: drop 0.18
    
    Closes: https://bugs.gentoo.org/717750
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-emulation/crun/Manifest         |  1 -
 app-emulation/crun/crun-0.18.ebuild | 61 -------------------------------------
 2 files changed, 62 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ea780e78b89e07a1c6a50ec069d3cfb68e23a63

commit 1ea780e78b89e07a1c6a50ec069d3cfb68e23a63
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-08-04 09:34:33 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-08-04 09:36:42 +0000

    app-emulation/crun: revbump, fix libcrun underlinking.
    
    Bug: https://bugs.gentoo.org/717750
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 .../{crun-0.19.1.ebuild => crun-0.19.1-r1.ebuild}  |  9 +++++++
 app-emulation/crun/files/libcrun-linkage.patch     | 29 ++++++++++++++++++++++
 2 files changed, 38 insertions(+)