Filesystem access problems after clearlinux docker container update to 33090

Here is an output from the docker container after swupd update.
ls -la
ls: cannot access ‘etc’: Operation not permitted
ls: cannot access ‘run’: Operation not permitted
ls: cannot access ‘tmp’: Operation not permitted
ls: cannot access ‘.’: Operation not permitted
ls: cannot access ‘dev’: Operation not permitted
ls: cannot access ‘boot’: Operation not permitted
ls: cannot access ‘sbin’: Operation not permitted
ls: cannot access ‘lib’: Operation not permitted
ls: cannot access ‘media’: Operation not permitted
ls: cannot access ‘root’: Operation not permitted
ls: cannot access ‘mnt’: Operation not permitted
ls: cannot access ‘sys’: Operation not permitted
ls: cannot access ‘…’: Operation not permitted
ls: cannot access ‘home’: Operation not permitted
ls: cannot access ‘bin’: Operation not permitted
ls: cannot access ‘var’: Operation not permitted
ls: cannot access ‘usr’: Operation not permitted
ls: cannot access ‘proc’: Operation not permitted
ls: cannot access ‘autofs’: Operation not permitted
ls: cannot access ‘srv’: Operation not permitted
ls: cannot access ‘lib64’: Operation not permitted
ls: cannot access ‘.dockerenv’: Operation not permitted
total 0
d??? ? ? ? ? ? .
d??? ? ? ? ? ? …
d??? ? ? ? ? ? autofs
l??? ? ? ? ? ? bin
d??? ? ? ? ? ? boot
d??? ? ? ? ? ? dev
-??? ? ? ? ? ? .dockerenv
d??? ? ? ? ? ? etc
d??? ? ? ? ? ? home
l??? ? ? ? ? ? lib
l??? ? ? ? ? ? lib64
d??? ? ? ? ? ? media
d??? ? ? ? ? ? mnt

I was working fine with older versions like 32480.
Is it a know problem? How it can be fixed?

It looks like this might be related to your host’s Docker version, can you try and upgrade to 19.03.8?

The issue was bisected to release 32570, in which the following components were upgraded:
coreutils 8.31-52 → 8.32-53
libseccomp 2.4.2-21 → 2.4.3-22

You can try the before/after versions directly via:

docker build -t clearlinux:32550 .

and

docker-build -t clearlinux:32600 .

Also, you can grab sources for building on GitHub - clearlinux/docker-brew-clearlinux: Dockerhub image snapshots for Clear Linux with the version-named branch.

We were unable to replicate it on any other system. Can you try it on a vanilla installation?

Any further information you can provide would be appreciated.

I validated that upgrading docker version to 19 resolves the problems with full filesystem access.

I experience what might seem like a similar problem. Though when I start it manually with “docker run” it works ok, but when starting a Clear Linux container via Concourse CI I get the same permission problem.

+ echo current directory is: /tmp/build/227e45ed, listing files
current directory is: /tmp/build/227e45ed, listing files
+ ls -l
total 0
+ ls -l /
ls: cannot access '/': Operation not permitted

Docker which is installed is v19.03.9

The docker image being used is based on v33180.

Any advice would be highly appreciated.

It turns out that the problem in my previous post is that statx is missing from the container runtime within Concourse, and that causes the problems.