Skip to content

[7.16](backport #28117) Allow clone3 syscall in seccomp filters#28330

Merged
andrewkroh merged 3 commits into7.16from
mergify/bp/7.x/pr-28117
Dec 12, 2021
Merged

[7.16](backport #28117) Allow clone3 syscall in seccomp filters#28330
andrewkroh merged 3 commits into7.16from
mergify/bp/7.x/pr-28117

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify bot commented Oct 11, 2021
edited by zube bot
Loading

This is an automatic backport of pull request #28117 done by Mergify.

Mergify commands and options

More conditions and actions can be found in the documentation.

You can also trigger Mergify actions by commenting on this pull request:

  • @Mergifyio refresh will re-evaluate the rules
  • @Mergifyio rebase will rebase this PR on its base branch
  • @Mergifyio update will merge the base branch into this PR
  • @Mergifyio backport <destination> will backport this PR on <destination> branch

Additionally, on Mergify dashboard you can:

  • look at your merge queues
  • generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.io/

@mergify mergify bot added the backport label Oct 11, 2021
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 11, 2021
@botelastic
Copy link
Copy Markdown

botelastic bot commented Oct 11, 2021

This pull request doesn't have a Team:<team> label.

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Oct 11, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 134 min 23 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@simitt
Copy link
Copy Markdown
Contributor

simitt commented Oct 12, 2021

/test

@mergify
Copy link
Copy Markdown
Contributor Author

mergify bot commented Oct 13, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b mergify/bp/7.x/pr-28117 upstream/mergify/bp/7.x/pr-28117
git merge upstream/7.x
git push upstream mergify/bp/7.x/pr-28117

@andresrc andresrc changed the base branch from 7.x to 7.16 October 20, 2021 14:50
@andresrc andresrc changed the title [7.x](backport #28117) Allow clone3 syscall in seccomp filters [7.16](backport #28117) Allow clone3 syscall in seccomp filters Oct 20, 2021
@jsoriano
Copy link
Copy Markdown
Member

jsoriano commented Oct 26, 2021

/test

@jsoriano
Copy link
Copy Markdown
Member

jsoriano commented Oct 26, 2021

Failures seem related:

Syscall filter could not be installederrorfailed to assemble policy: found unknown syscalls for arch x86_64: clone3

Could it be because of the base images used? @simitt is this change needed in 7.16 and 7.15?

@andrewkroh
Copy link
Copy Markdown
Member

andrewkroh commented Nov 10, 2021

I think #27955 needs backported in order to update go-seccomp-bpf with new syscall tables that include clone3.

@simitt
Copy link
Copy Markdown
Contributor

simitt commented Nov 11, 2021

@jsoriano somehow I missed your ping; if anyhow possible this should go into 7.16, seems we missed 7.15.2 unfortunately.

@andrewkroh
Copy link
Copy Markdown
Member

andrewkroh commented Nov 11, 2021

@Mergifyio rebase

BlackYoup and others added 2 commits November 11, 2021 17:56
@BlackYoup
seccomp: allow clone3 syscall for x86 (#28117)
30d1131 
clone3 is a linux syscall that is now used by glibc starting version
2.34. It is used when pthread_create() gets called. Current seccomp
filters do not allow this syscall leading to crashes like
runtime/cgo: pthread_create failed: Operation not permitted

See elastic/apm-server#6238 for more details

(cherry picked from commit 82507fd)
@jsoriano
Update CHANGELOG.next.asciidoc
593d8f9
@v1v v1v force-pushed the mergify/bp/7.x/pr-28117 branch from 4ddbd43 to 593d8f9 Compare November 11, 2021 17:56
@mergify
Copy link
Copy Markdown
Contributor Author

mergify bot commented Nov 11, 2021

rebase

✅ Branch has been successfully rebased

@andrewkroh
Copy link
Copy Markdown
Member

andrewkroh commented Nov 15, 2021

/test

@mergify
Copy link
Copy Markdown
Contributor Author

mergify bot commented Nov 17, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b mergify/bp/7.x/pr-28117 upstream/mergify/bp/7.x/pr-28117
git merge upstream/7.16
git push upstream mergify/bp/7.x/pr-28117

@andrewkroh andrewkroh mentioned this pull request Dec 12, 2021
Merged
7 tasks
@andrewkroh andrewkroh merged commit 1e1249d into 7.16 Dec 12, 2021
@mergify mergify bot deleted the mergify/bp/7.x/pr-28117 branch December 12, 2021 19:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport needs_team Indicates that the issue/PR needs a Team:* label

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@elasticmachine @simitt @jsoriano @andrewkroh @BlackYoup