Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set seccomp to unconfined #61

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Set seccomp to unconfined #61

wants to merge 1 commit into from
+3 −1

Conversation

tolbrino
Copy link

The current dappnode package fails to start with the following error:

RuntimeError: can't start new thread

This suggests that the used Python has issues with the seccomp profile being used. This PR provides a quick workaround which made the package work for me again. A proper fix might involve checking out the installation of Python within the Docker image.

@mgarciate
Copy link
Collaborator

The current dappnode package fails to start with the following error:

RuntimeError: can't start new thread

This suggests that the used Python has issues with the seccomp profile being used. This PR provides a quick workaround which made the package work for me again. A proper fix might involve checking out the installation of Python within the Docker image.

security_opt: - seccomp:unconfined can have significant security implications.
According to chatgpt:

Security Implications
Increased Attack Surface:

Disabling seccomp removes protections against numerous types of attacks that could exploit vulnerabilities in system calls.
An attacker who gains access to the container can potentially perform a broader range of malicious actions, including attempts to escape the container and gain access to the host system.
Risk of Host Compromise:

With seccomp disabled, if the containerized application is compromised, an attacker could leverage unrestricted system calls to exploit kernel vulnerabilities, potentially leading to host compromise.
This is especially dangerous if the container runs with elevated privileges or has sensitive host mounts.
Non-Compliance with Security Best Practices:

Disabling seccomp goes against Docker's security best practices and industry standards for container security.
Regulatory and compliance standards may require the use of security mechanisms like seccomp.

@tolbrino Have you try to update docker at http://my.dappnode/system/advanced? I wouldn't set this parameter unless it's the last option

@LefterisJP LefterisJP mentioned this pull request May 26, 2024
Closed
@kelsos
Copy link
Contributor

kelsos commented May 27, 2024

We heard back from one of the users who encountered the same problem. They successfully managed to update docker despite getting errors in http://my.dappnode/system/advanced, it seems that it should work even if you get a check error.

After the update the user reported that they can use rotki normally, so updating docker should resolve the problem.

@tolbrino
Copy link
Author

I will test this next as well.

@mgarciate
Copy link
Collaborator

I will test this next as well.

Let me know @tolbrino

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tolbrino @mgarciate @kelsos