Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EBPF installation issue when building multiarch Docker images #1305

Open
heywoodlh opened this issue Nov 20, 2024 · 2 comments · May be fixed by #1311
Open

EBPF installation issue when building multiarch Docker images #1305

heywoodlh opened this issue Nov 20, 2024 · 2 comments · May be fixed by #1311
Labels
Containerized Related to Docker, Podman, or LXC (etc) Linux

Comments

@heywoodlh
Copy link

heywoodlh commented Nov 20, 2024
edited
Loading

I build my own Nix Docker image for various things. It's been building successfully for months now, but today, I ran into this issue:

22.67 Error: 
22.67    0: Install failure
22.67    1: Error executing action
22.67    2: Action `configure_nix` errored
22.67    3: Action `setup_default_profile` errored
22.67    4: Failed to execute command with status 1 `HOME="/root" NIX_SSL_CERT_FILE="/nix/store/9m6xbd8pcdb6c655b7lifhi5m1igi5rk-nss-cacert-3.101/etc/ssl/certs/ca-bundle.crt" "/nix/store/30gnc15nig1awa11vii9yz3z8518rnr3-nix-2.24.10/bin/nix-env" "--option" "substitute" "false" "-i" "/nix/store/30gnc15nig1awa11vii9yz3z8518rnr3-nix-2.24.10"`, stdout: 
22.67       stderr: installing 'nix-2.24.10'
22.67       error:
22.67              … while setting up the build environment
22.67 
22.67              error: unable to load seccomp BPF program: Invalid argument

I've had --extra-conf='filter-syscalls = false' per this comment: #955 (comment)

It's been building successfully for months without issue -- however -- today when I attempt to build a multi-arch image -- it's almost like filter-syscalls = false is completely ignored on the foreign architecture.

Here's the steps to reproduce on an x86_64 Linux machine: 
mkdir -p /tmp/testing && cd /tmp/testing

curl -L https://gist.githubusercontent.com/heywoodlh/1f976c3912818dcd76f0cdf9e5fd3e32/raw/7f1b71c9d9eab3a363ad53e857a911ff92feff28/Dockerfile-det-sys-sample -o Dockerfile

docker buildx create --name multiarch --driver docker-container --use
docker buildx build --tag nix-testing --platform linux/arm64 .

However, the same Dockerfile builds normally on the same architecture:

❯ docker build -t nix-testing .
[+] Building 12.5s (6/6) FINISHED                                                                                                                                                                                       docker:rootless
 => [internal] load build definition from Dockerfile                                                                                                                                                                               0.0s
 => => transferring dockerfile: 343B                                                                                                                                                                                               0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                  0.0s
 => => transferring context: 2B                                                                                                                                                                                                    0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                                                                                                                   0.0s
 => CACHED [1/2] FROM docker.io/library/alpine:latest                                                                                                                                                                              0.0s
 => [2/2] RUN apk add --no-cache curl bash     && curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux       --extra-conf "sandbox = false"       --init none       --no-con  11.8s
 => exporting to image                                                                                                                                                                                                             0.7s
 => => exporting layers                                                                                                                                                                                                            0.7s
 => => writing image sha256:3e9ad1f49aa7a33cbd29af5f0e513a36612dcd99b8183ea80c84d52f754e03fd                                                                                                                                       0.0s 
 => => naming to docker.io/library/nix-testing

And here's a screenshot of my GitHub Actions running successfully until today 😄

image

And the failing log output on the ARM64 job -- the AMD64 job on the GitHub Action runner has no issue.

image

Please let me know if I can provide any more details!
@heywoodlh heywoodlh changed the title EBPF installation issue when cross-compiling EBPF installation issue when building multiarch Docker images Nov 20, 2024
@cole-h cole-h added Linux Containerized Related to Docker, Podman, or LXC (etc) labels Nov 22, 2024
@cole-h
Copy link
Member

cole-h commented Nov 22, 2024

I think the issue is that we try to run all the Nix setup commands (like the nix-env command that is erroring) before we drop the Nix configuration... I can't think of a reason we would want to intentionally do that, so we can probably fix this by simply fixing the ordering to run the "place nix.conf" stuff before "run Nix setup commands" stuff.

@cole-h cole-h linked a pull request Nov 22, 2024 that will close this issue
Draft
6 tasks
@cole-h
Copy link
Member

cole-h commented Nov 22, 2024
edited
Loading

I've opened #1311 with that trivial fix and set it to upload -- once CI finishes, there are instructions in the PR body for trying it out, if you're so inclined!

EDIT: as of this edit, the binary is ready for testing:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/pr/1311 | sh -s -- install

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Containerized Related to Docker, Podman, or LXC (etc) Linux
Projects
None yet
Milestone
No milestone
2 participants
@heywoodlh @cole-h