🐛 Bug Report: arm64 container won't start

[Kirk1984]

Describe the bug

The container won't run on my pi4. it starts and stops. docker compose logs gives no output because it only starts for a split second.

Steps to reproduce the bug

Steps to reproduce the behavior:

1. run docker compose on pi4
2. thats it

Additional context / screenshot

It runs on my x64 nuc just fine with the same compose file (just the image was changed).

[Carbrex]

Did you uncomment the line in docker-compose.yml?

[Kirk1984]

Do you mean the image? Then yes. My compose (only change is that i merged 'security_opt' because docker compose wont start with 2 of them):

services:
web:
image: quay.io/redlib/redlib:latest-arm # uncomment if you use armv7
restart: always
container_name: "redlib"
environment:
- REDLIB_DEFAULT_SHOW_NSFW=on
- REDLIB_DEFAULT_THEME=dark
- REDLIB_DEFAULT_FRONT_PAGE=all
- REDLIB_DEFAULT_LAYOUT=compact
- REDLIB_DEFAULT_WIDE=on
- REDLIB_DEFAULT_USE_HLS=on
ports:
- 8080:8080
user: nobody
read_only: true
security_opt:
- no-new-privileges:true
- seccomp=seccomp-redlib.json
cap_drop:
- ALL
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "--tries=1", "http://localhost:8080/settings"]
interval: 5m
timeout: 3s

[Kirk1984]

After a few more tests it works now. i tried running it without the compose file and it ran. so i tried a few things with the compose and the culprit is - seccomp=seccomp-redlib.json. Without it the container runs. That option now also prevents the container to run on x64 with the error message:

redlib | ensure /proc/self/fd is on procfs: operation not permitted

I think that might have to to with the Leaky Vessels Updates surrounding docker.
Edit: Well, the error seems older, but when i first testet redlib on my nuc it ran with that option, but not anymore.

[arulagrawal]

Running with the seccomp option results in the same error for me on amd64 as well.

[sigaloid]

Weird because ARM64 is mentioned in the seccomp profile here:

redlib/seccomp-redlib.json

Lines 11 to 16 in c603006

	{
	"architecture": "SCMP_ARCH_AARCH64",
	"subArchitectures": [
	"SCMP_ARCH_ARM"
	]
	},

Relevant runc spec: https://github.com/opencontainers/runc/blob/main/docs/spec-conformance.md

Could be a bug with the runtime. Can anyone try with Podman instead of Docker? Don't have any Pi's on hand.

[Kirk1984]

On my NUC (x64) it also stopped working with the seccomp profile with the mentioned error.

Ubuntu 22.04 (both NUC and Pi) with docker-ce from dockers repo.

The only difference so far is thats in x86 i get an error output with 'docker compose logs' but on the pi the container just restarts without an output.

[sigaloid]

Interesting. I think we should probably remove the seccomp profile until we can resolve this by adding the new syscalls to the profile.

[Kirk1984]

Yes, that seems like the way to go for now. Should i close the issue?

[sigaloid]

I can do that when I push the commit commenting out the profile line. <5 min