I further bisected it down to adding this line to /usr/include/i386 -linux-gnu/asm/unistd_32.h:
#define __NR_socket 359 if I drop just that and rebuild systemd, seccomp/nspawn work again. While systemd does define some syscalls for some more obscure platforms in https://github.com/systemd/systemd/blob/master/src/basic/missing.h if the kernel headers don't already define them, these don't seem to collide with either __NR_socket or the value 359. The only place where I see this referenced is in /usr/include/asm-generic/unistd.h: #define __NR_socket 198 __SYSCALL(__NR_socket, sys_socket) but as that redefines __NR_socket I figure that's unrelated. Commenting it out doesn't change the behaviour at all. I confirm this on Debian sid which has linux-libc-dev 4.3.3-1, exact same situation. At this point I'm afraid I don't understand what's going on and what these new syscall definitions do. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1526358 Title: xenial/i386 regression: nspawn fails with "Failed to add audit seccomp rule: Bad address" Status in linux package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: Four days ago, on Dec 10, http://autopkgtest.ubuntu.com/packages/s/systemd/xenial/i386/ started failing: ====================================================================== FAIL: test_boot (__main__.NspawnTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/adt-run.IG1dKn/build.Yzd/systemd-228/debian/tests/boot-and-services", line 204, in test_boot self.assertIn(b'fake container started', out) AssertionError: b'fake container started' not found in b'Spawning container c1 on /tmp/tmpl04y_tf8/c1.\nPress ^] three times within 1s to kill container.\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to add audit seccomp rule: Bad address\n' This is reproducible in xenial-release, i. e. it already slipped through -proposed. This can be reproduced easily on a xenial i386 VM: sudo apt-get install busybox-static mkdir -p /tmp/c/sbin /tmp/c/etc /tmp/c/bin/ cp /bin/busybox /tmp/c/bin/ ln -s ../bin/busybox /tmp/c/sbin/init ln -s busybox /tmp/c/bin/sh cp /etc/os-release /tmp/c/etc sudo systemd-nspawn -b -D /tmp/c This should normally boot a busybox container; you'll get a few error messages as there's no SysV init stuff there, but it should start and pressing enter should get you into a shell. But on i386 it fails with $ sudo systemd-nspawn -b -D /tmp/c Spawning container c on /tmp/c. Press ^] three times within 1s to kill container. Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system Failed to add audit seccomp rule: Bad address which is what the test case fails on too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1526358/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
