containerd-1.3.5: undefined symbol: seccomp_api_set

[thepwagner]

Description

Containerd switched to GitHub Actions for releases between release 1.3.4 and 1.3.5. #4280
GitHub Actions uses ubuntu:18.04 base images, which provide libseccompdev-2.4.3-1ubuntu3.18.04.2 source
Per #4008 , libseccomp > 2.4 introduced seccomp_api_set, so binaries compiled against this version won't work with older versions.

This impacts releases that switch to GitHub Actions (e.g. 1.3.5).
This behaviour was considered a bug and patched on 1.2.x with #4015

Steps to reproduce the issue:
1.

$ docker run --rm debian:buster sh -c '(apt-get update && apt-get -y install curl && curl -L -o /tmp/ctr.tgz https://github.com/containerd/containerd/releases/download/v1.3.5/containerd-1.3.5-linux-amd64.tar.gz && tar xvvzf /tmp/ctr.tgz) >/dev/null && bin/containerd --version'

Describe the results you received:

bin/containerd: symbol lookup error: bin/containerd: undefined symbol: seccomp_api_set

Describe the results you expected:

$ docker run --rm debian:buster sh -c '(apt-get update && apt-get -y install curl && curl -L -o /tmp/ctr.tgz https://github.com/containerd/containerd/releases/download/v1.3.3/containerd-1.3.3.linux-amd64.tar.gz && tar xvvzf /tmp/ctr.tgz) >/dev/null && bin/containerd --version'
containerd github.com/containerd/containerd v1.3.3 d76c121f76a5fc8a462dc64594aea72fe18e1178

$ docker run --rm debian:buster sh -c '(apt-get update && apt-get -y install curl && curl -L -o /tmp/ctr.tgz https://github.com/containerd/containerd/releases/download/v1.3.4/containerd-1.3.4.linux-amd64.tar.gz && tar xvvzf /tmp/ctr.tgz) >/dev/null && bin/containerd --version'
containerd github.com/containerd/containerd v1.3.4 814b7956fafc7a0980ea07e950f983d0837e5578

Output of containerd --version:

bin/containerd: symbol lookup error: bin/containerd: undefined symbol: seccomp_api_set

Any other relevant information:

This maybe a WONTFIX - we can compile ourselves.

It could be resolved by building binaries in Docker instead of on the Actions VM. It might be easier to pin 2.3 there.

$ docker run --rm golang:1.14 sh -c '(apt-get update && apt-cache showpkg libseccomp-dev) | grep -A1 Versions'
Versions:
2.3.3-4 (/var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_binary-amd64_Packages.lz4)

[cpuguy83]

Thanks for the report. This is being dealt with in #4352
Likely there will be a 1.3.6 release with the fixed binaries.

[estesp]

Verified with #4352 that the example debian:buster can run the binary:

debconf: delaying package configuration, since apt-utils is not installed
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   648  100   648    0     0   2817      0 --:--:-- --:--:-- --:--:--  2817
100 38.1M  100 38.1M    0     0   9.8M      0  0:00:03  0:00:03 --:--:-- 12.5M
containerd github.com/containerd/containerd v1.3.5 9b6f3ec0307a825c38617b93ad55162b5bb94234

We will respin as 1.3.6 with this fix.

[AkihiroSuda]

1.3.6 is out now

[arpitaashu]

Thanks @janorn
was facing the same issue.
Did "yum update libseccomp" and containerd service started running...