setarch: i386: Unrecognized architecture

[jackusm]

Trying to run the container I get this error and it exits

[jackusm]

Not sure if there's a 'proper' way to have this work but adding --security-opt=seccomp=unconfined to the docker command works.

[bencawkwell]

Thanks for reporting this, and adding a temporary workaround. Can you please just confirm which version of docker you are using, and if you made any changes to the Dockerfile?

[jackusm]

I set to use XPRA and GITWATCH other than that no changes.
Docker version 1.12.6, build 78d18021ec

[bencawkwell]

So I have done some research, and discovered that there is something called Seccomp security profiles for Docker (https://docs.docker.com/engine/security/seccomp/). The reason I am unable to reproduce this issue myself is because I run a build of docker that most probably was not built with seccomp.

I discovered this from http://www.bay12forums.com/smf/index.php?topic=145944.245;wap2, which mentions that "personality" is one of the system calls being blocked by default. This page also mentions the same workaround, to add --security-opt=seccomp=unconfined to the docker command.

Right now I can think of two choices:

1. Document this workaround with an explanation in the README.
2. Provide my own seccomp profile, based on https://github.com/docker/docker/blob/master/profiles/seccomp/default.json but with changes that permit the system calls required.

Looking at other projects that have run into a similar issue (jlund/docker-chrome-pulseaudio#8, and https://github.com/solita/docker-systemd) we see one of the above choices being used.

Option number 2 to me does not sound feasible in the long term, so for now I think the best option is to document the workaround. Hopefully as this feature becomes more common a better method to enable certain system calls for Dockerfiles turns up.