slim: auto-generated seccomp profile doesn't work

$ sudo ./docker-slim p nginx:alpine
docker-slim[profile]: info=http.probe message='using default probe'
docker-slim[profile]: state=started
docker-slim[profile]: info=params target=nginx:alpine
docker-slim[profile]: state=image.inspection.start
docker-slim[profile]: info=image id=sha256:55ceb2abad47854d182034514057b038a6e50e9d029ba152bd713d535ed39603 size.bytes=21137785 size.human=21 MB
docker-slim[profile]: state=image.inspection.done
docker-slim[profile]: state=container.inspection.start
docker-slim[profile]: info=container status=created id=adb10d2f8e69cda92a5f35b92d4f21f70c6268c4c053f99170aadce284add001
docker-slim[profile]: info=cmd.startmonitor status=sent
docker-slim[profile]: info=event.startmonitor.done status=received
docker-slim[build]: info=container name=dockerslimk_29216_20190805070200 id=adb10d2f8e69cda92a5f35b92d4f21f70c6268c4c053f99170aadce284add001 target.port.list=[32799] target.port.info=[80/tcp => 0.0.0.0:32799] message='YOU CAN USE THESE PORTS TO INTERACT WITH THE CONTAINER'
docker-slim[profile]: state=http.probe.starting message='WAIT FOR HTTP PROBE TO FINISH'
docker-slim[profile]: info=prompt message='USER INPUT REQUIRED, PRESS <ENTER> WHEN YOU ARE DONE USING THE CONTAINER'
docker-slim[profile]: state=http.probe.running
docker-slim[profile]: info=http.probe.call status=200 method=GET target=http://127.0.0.1:32799/ attempt=1  time=2019-08-05T07:02:12Z
docker-slim[profile]: info=http.probe.summary total=1 failures=0 successful=1
docker-slim[profile]: state=http.probe.done

docker-slim[profile]: state=container.inspection.finishing
docker-slim[profile]: state=container.inspection.artifact.processing
docker-slim[profile]: state=container.inspection.done
docker-slim[profile]: state=completed
docker-slim[profile]: state=done

$ docker run --rm -p 80:80 --security-opt seccomp=./.docker-slim-state/images/55ceb2abad47854d182034514057b038a6e50e9d029ba152bd713d535ed39603/artifacts/nginx-seccomp.json nginx:alpine
docker: Error response from daemon: cannot start a stopped process: unknown.
  • docker-slim version: 1.25.3
  • Docker version: moby/moby@11e48badcb
  • OS: Ubuntu 19.04

About this issue

  • Original URL
  • State: open
  • Created 5 years ago
  • Comments: 18 (9 by maintainers)

Most upvoted comments

@AkihiroSuda and everybody who stumbles on this issue trying to figure out how to have usable seccomp profiles 😃 The latest version ( 1.32.0 ) finally got the necessary (multi-process/multi-threading) enhancements to make the generated seccomp profiles usable for more applications. I also updated the examples repo to have more examples with seccomp profiles (e.g., https://github.com/docker-slim/examples/tree/master/3rdparty/nginx_alpine , https://github.com/docker-slim/examples/tree/master/3rdparty/carbon-now-sh , https://github.com/docker-slim/examples/tree/master/3rdparty/codimd , https://github.com/docker-slim/examples/tree/master/node12_fastify_swagger and anywhere you see run_fat_seccomp.sh and run_slim_seccomp.sh)

The AppArmor profiles need a few more cycles to make them usable… We’ll definitely get there sooner especially when I get more help working on the core engine 😃

+2
kcq on Aug 24, 2020

Got the main enhancements in place… Works pretty well with the standard and alpine nginx images 😃 Need to cleanup a few side effects and it’s ready for the release…

+1
kcq on Sep 3, 2019
Read more comments on GitHub
← Twig-View: Twig doesn't show anything
slim: Error in docker-slim build →