[PATCH 0/2] enable procd security features by default
Daniel Golle
daniel at makrotopia.org
Tue Feb 9 07:48:32 EST 2021
Hi!
On Tue, Feb 09, 2021 at 10:28:32AM +0100, Petr Štetiar wrote:
>
> Daniel Golle <daniel at makrotopia.org> [2020-11-07 14:17:12]:
>
> Hi,
>
> > Please report back
>
> FYI just noticed following on imx6q latest master:
Thank you for reporting! This indeed looks like a problem.
>
> user.notice firewall: Reloading firewall due to ifup of wan (eth0)
> user.err : jail: failed to clone/fork: Invalid argument
> user.err : jail: failed to clone/fork: Invalid argument
> user.err : jail: failed to clone/fork: Invalid argument
> user.err : jail: failed to clone/fork: Invalid argument
> user.err : jail: failed to clone/fork: Invalid argument
> user.err : jail: failed to clone/fork: Invalid argument
What you are seeing here is the return value of the clone() call,
indicating that it has failed. As it doesn't fail on other similar
ARM-32 targets (I'm testing myself on ipq4xxx), I assume that imx6
is lacking some kernel features.
>From CLONE(2) man page:
...
EINVAL CLONE_NEWIPC was specified in the flags mask, but the kernel was not configured with the CONFIG_SYSVIPC and CONFIG_IPC_NS options.
EINVAL CLONE_NEWNET was specified in the flags mask, but the kernel was not configured with the CONFIG_NET_NS option.
EINVAL CLONE_NEWPID was specified in the flags mask, but the kernel was not configured with the CONFIG_PID_NS option.
EINVAL CLONE_NEWUSER was specified in the flags mask, but the kernel was not configured with the CONFIG_USER_NS option.
EINVAL CLONE_NEWUTS was specified in the flags mask, but the kernel was not configured with the CONFIG_UTS_NS option.
...
(among a lot of other possible reasons for EINVAL, but all those should
occur equally on my testing platforms as well)
Can you share the output of
ubus call container get_features
and if that looks all good, maybe check the running kernel (ie. build
with kmod-ikconfig and look at /proc/config.gz).
If you haven't arrived at something obvious at that point, I guess the
next thing I'd do is testing if `runc` works, ie. pull a random small
docker container and see if that starts.
Last imx6 hardware I touched was SolidRun's CuBox and that's a while
ago, I have vague memories of giving it away to a friend to run Kodi...
Cheers
Daniel
More information about the openwrt-devel
mailing list