Qt doesn't work in my ArchLinux docker



  • Hello,

    I'm using Qt inside a Docker container and getting some very weird behaviour.

    Here's my Dockerfile

    FROM base/archlinux
    
    USER root
    
    ENV ARCH_USER archie
    
    RUN pacman -Syy && \
        pacman -S --noconfirm sudo
    
    RUN useradd --create-home $ARCH_USER && \
        passwd -d $ARCH_USER && \
        echo "${ARCH_USER} ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
    
    RUN pacman -S --noconfirm \
        lximage-qt
    
    USER $ARCH_USER
    WORKDIR /home/$ARCH_USER
    

    I build it by:

    docker build -t qt-test .
    

    Then run it as

    docker run -it qt-test
    

    Inside the container I run:

    [archie@hash ~]$ QT_DEBUG_PLUGINS=1 lximage-qt 
    QFactoryLoader::QFactoryLoader() checking directory path "/usr/lib/qt/plugins/bearer" ...
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/bearer/libqconnmanbearer.so"
    /usr/lib/qt/plugins/bearer/libqconnmanbearer.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/qt/plugins/bearer/libqconnmanbearer.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/bearer/libqgenericbearer.so"
    /usr/lib/qt/plugins/bearer/libqgenericbearer.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/qt/plugins/bearer/libqgenericbearer.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/bearer/libqnmbearer.so"
    /usr/lib/qt/plugins/bearer/libqnmbearer.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/qt/plugins/bearer/libqnmbearer.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() checking directory path "/usr/lib/qt/plugins/platforms" ...
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqeglfs.so"
    /usr/lib/qt/plugins/platforms/libqeglfs.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/qt/plugins/platforms/libqeglfs.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqlinuxfb.so"
    /usr/lib/qt/plugins/platforms/libqlinuxfb.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/qt/plugins/platforms/libqlinuxfb.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqminimal.so"
    /usr/lib/qt/plugins/platforms/libqminimal.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/qt/plugins/platforms/libqminimal.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqminimalegl.so"
    /usr/lib/qt/plugins/platforms/libqminimalegl.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/qt/plugins/platforms/libqminimalegl.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqoffscreen.so"
    /usr/lib/qt/plugins/platforms/libqoffscreen.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/qt/plugins/platforms/libqoffscreen.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqvnc.so"
    /usr/lib/qt/plugins/platforms/libqvnc.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/qt/plugins/platforms/libqvnc.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqxcb.so"
    /usr/lib/qt/plugins/platforms/libqxcb.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/qt/plugins/platforms/libqxcb.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() checking directory path "/home/archie/platforms" ...
    qt.qpa.plugin: Could not find the Qt platform plugin "xcb" in ""
    This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
    
    Aborted (core dumped)
    

    lximage-qt is just a random app I'm using to test Qt.
    GTK apps work fine.

    I haven't had any luck figuring out what the errors mean.
    Any help would be appreciated!


  • Lifetime Qt Champion

    Hi,

    Do you have any restriction for your containers ? E.g. maximum usable memory available.



  • I do not have such restrictions. As a test, I allocated 8 GBs of memory inside of the container.

    I don't see a noticeable spike in memory usage when I try to run lximage-qt, say


  • Lifetime Qt Champion

    Can you reproduce that with a minimal sample



  • If you save the Dockerfile, run the build and run provided above, I believe it should reproduce the behaviour.

    Please let me know how I can make it more minimal


  • Moderators

    Using most recent updates to arch, ran your dockerfile and everything worked as expected. This is with a standard install of docker, didn't tweak any settings (at least that I remember).

    Here is the output:

    [archie@d6d7285b082f ~]$ QT_DEBUG_PLUGINS=1 lximage-qt                                                      
    QFactoryLoader::QFactoryLoader() checking directory path "/usr/lib/qt/plugins/bearer" ...                   
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/bearer/libqconnmanbearer.so"
    Found metadata in lib /usr/lib/qt/plugins/bearer/libqconnmanbearer.so, metadata=                            
    {                                                                                                           
        "IID": "org.qt-project.Qt.QBearerEngineFactoryInterface",                                               
        "MetaData": {                                                                                           
            "Keys": [       
        "MetaData": {                                                                                    [84/653]
            "Keys": [           
                "connman"              
            ]                         
        },                        
        "className": "QConnmanEnginePlugin",     
        "debug": false,           
        "version": 330497 
    }                                 
                                                           
                                       
    Got keys from plugin meta data ("connman")
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/bearer/libqgenericbearer.so"               
    Found metadata in lib /usr/lib/qt/plugins/bearer/libqgenericbearer.so, metadata=                            
    {                                                    
        "IID": "org.qt-project.Qt.QBearerEngineFactoryInterface",                                               
        "MetaData": {                
            "Keys": [             
                "generic"   
            ]          
        },                         
        "className": "QGenericEnginePlugin",                               
        "debug": false,    
        "version": 330497
    }                                   
                              
                                        
    Got keys from plugin meta data ("generic")   
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/bearer/libqnmbearer.so"                    
    Found metadata in lib /usr/lib/qt/plugins/bearer/libqnmbearer.so, metadata=                                 
    {                              
        "IID": "org.qt-project.Qt.QBearerEngineFactoryInterface",                                               
        "MetaData": {              
            "Keys": [     
                "networkmanager"      
            ]                                    
        },                                
        "className": "QNetworkManagerEnginePlugin",
        "debug": false,      
        "version": 330497                 
    }                         
                                 
                               
    Got keys from plugin meta data ("networkmanager")
    loaded library "/usr/lib/qt/plugins/bearer/libqconnmanbearer.so"                                            
    loaded library "/usr/lib/qt/plugins/bearer/libqgenericbearer.so"                                            
    loaded library "/usr/lib/qt/plugins/bearer/libqnmbearer.so"
    QFactoryLoader::QFactoryLoader() checking directory path "/usr/lib/qt/plugins/platforms" ...                
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqeglfs.so"
    Found metadata in lib /usr/lib/qt/plugins/platforms/libqeglfs.so, metadata=
    {                                     
        "IID": "org.qt-project.Qt.QPA.QPlatformIntegrationFactoryInterface.5.3",
        "MetaData": {                         
            "Keys": [                        
                "eglfs"                     
            ]                         
        },                                                                  
        "className": "QEglFSIntegrationPlugin",
        "debug": false,                              
        "version": 330497                    
    }                                                                                                           
                                                                                                                
                                                
    Got keys from plugin meta data ("eglfs")                                                                    
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqlinuxfb.so"
    Found metadata in lib /usr/lib/qt/plugins/platforms/libqlinuxfb.so, metadata=
    {                                           
        "IID": "org.qt-project.Qt.QPA.QPlatformIntegrationFactoryInterface.5.3",
        "MetaData": {                  
            "Keys": [                           
                "linuxfb"
            ]                      
        },                            
        "className": "QLinuxFbIntegrationPlugin",            
        "debug": false,                
        "version": 330497                                                       
    }                                                                                                           
                                                                                                                
                                                                                                                
    Got keys from plugin meta data ("linuxfb")                                                                  
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqminimal.so"   
    Found metadata in lib /usr/lib/qt/plugins/platforms/libqminimal.so, metadata=                               
    {                                                                                                           
        "IID": "org.qt-project.Qt.QPA.QPlatformIntegrationFactoryInterface.5.3",                                
        "MetaData": {                                                                                           
            "Keys": [       
                "minimal"              
            ]                         
        },                        
        "className": "QMinimalIntegrationPlugin",
        "debug": false,           
        "version": 330497 
    }                                 
                                                           
                                       
    Got keys from plugin meta data ("minimal")
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqminimalegl.so"               
    Found metadata in lib /usr/lib/qt/plugins/platforms/libqminimalegl.so, metadata=                            
    {                                                    
        "IID": "org.qt-project.Qt.QPA.QPlatformIntegrationFactoryInterface.5.3",                                
        "MetaData": {                
            "Keys": [             
                "minimalegl"
            ]          
        },                         
        "className": "QMinimalEglIntegrationPlugin",                       
        "debug": false,    
        "version": 330497
    }                                   
                              
                                        
    Got keys from plugin meta data ("minimalegl")
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqoffscreen.so"                
    Found metadata in lib /usr/lib/qt/plugins/platforms/libqoffscreen.so, metadata=                             
    {                              
        "IID": "org.qt-project.Qt.QPA.QPlatformIntegrationFactoryInterface.5.3",                                
        "MetaData": {              
            "Keys": [     
                "offscreen"           
            ]                                    
        },                                
        "className": "QOffscreenIntegrationPlugin",
        "debug": false,      
        "version": 330497                 
    }                         
                                 
                               
    Got keys from plugin meta data ("offscreen")     
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqvnc.so"                      
    Found metadata in lib /usr/lib/qt/plugins/platforms/libqvnc.so, metadata=                                   
    {                                                          
        "IID": "org.qt-project.Qt.QPA.QPlatformIntegrationFactoryInterface.5.3",                                
        "MetaData": {                                                                       
            "Keys": [                                                          
                "vnc"                     
            ]                                                                   
        },                                    
        "className": "QVncIntegrationPlugin",
        "debug": false,                     
        "version": 330497             
    }                                                                       
                                               
                                                     
    Got keys from plugin meta data ("vnc")   
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/qt/plugins/platforms/libqxcb.so"                      
    Found metadata in lib /usr/lib/qt/plugins/platforms/libqxcb.so, metadata=                                   
    {                                           
        "IID": "org.qt-project.Qt.QPA.QPlatformIntegrationFactoryInterface.5.3",                                
        "MetaData": {                                                                         
            "Keys": [                                                            
                "xcb"                           
            ]                                                                   
        },                             
        "className": "QXcbIntegrationPlugin",   
        "debug": false,  
        "version": 330497          
    }                                 
                                                             
                                       
    Got keys from plugin meta data ("xcb")                                      
    QFactoryLoader::QFactoryLoader() checking directory path "/usr/bin/platforms" ...                           
    QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-archie'                                
    loaded library "/usr/lib/qt/plugins/platforms/libqxcb.so"                                                   
    qt.qpa.screen: QXcbConnection: Could not connect to display                                                 
    Could not connect to any X display.                                                          
    QLibraryPrivate::unload succeeded on "/usr/lib/qt/plugins/platforms/libqxcb.so"                             
    On QtCore unload, "/usr/lib/qt/plugins/bearer/libqconnmanbearer.so" was leaked, with 2 users                
    On QtCore unload, "/usr/lib/qt/plugins/bearer/libqgenericbearer.so" was leaked, with 2 users                
    On QtCore unload, "/usr/lib/qt/plugins/bearer/libqnmbearer.so" was leaked, with 2 users                     
    

    My guess is you actually have a memory issue in your container.


  • Lifetime Qt Champion

    In addition to what @ambershark wrote, what are your host specifications ?



  • I ran into similar issue when building a container of the calibre application:
    My docker host is running debian 9

    DockerFile

    FROM base/archlinux
    
    RUN export RUNLEVEL=1
    RUN pacman --noconfirm -Syu calibre
    
    RUN echo '#!/usr/sbin/bash' > /usr/bin/run.sh
    RUN echo 'calibre-server $(ls -d /library/*);' >> /usr/bin/run.sh
    RUN echo 'while true; do sleep 86400;done' >> /usr/bin/run.sh
    RUN chmod +x /usr/bin/run.sh
    ENTRYPOINT ["/usr/bin/run.sh"]
    

    The server failed to start with this error:

    qt.qpa.plugin: Could not find the Qt platform plugin "headless" in "/usr/lib/calibre/calibre/plugins"
    This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
    
    Aborted (core dumped)
    

    Debugging further it looks like I am getting out of memory errors for every single plugin

    QT_DEBUG_PLUGINS=1 calibre-debug -c "from calibre.gui2 import *; ensure_app()"
    
    QFactoryLoader::QFactoryLoader() checking directory path "/usr/lib/calibre/calibre/plugins" ...
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/calibre/calibre/plugins/_patiencediff_c.so"
    /usr/lib/calibre/calibre/plugins/_patiencediff_c.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/calibre/calibre/plugins/_patiencediff_c.so'." 
             not a plugin
    QFactoryLoader::QFactoryLoader() looking at "/usr/lib/calibre/calibre/plugins/bzzdec.so"
    /usr/lib/calibre/calibre/plugins/bzzdec.so: Cannot allocate memory
    "Out of memory while loading plugin '/usr/lib/calibre/calibre/plugins/bzzdec.so'." 
             not a plugin
    

    I have Free memory available:

    # free -g
                  total        used        free      shared  buff/cache   available
    Mem:             15           1           2           0          12          14
    


  • Same thing occurs with lximage-qt
    It drops a core, I did a backtrace:

    Reading symbols from /usr/sbin/lximage-qt...(no debugging symbols found)...done.
    [New LWP 3477]
    [New LWP 3478]
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/usr/lib/libthread_db.so.1".
    Core was generated by `lximage-qt'.
    Program terminated with signal SIGABRT, Aborted.
    #0  0x00007fdbdeac1b5f in raise () from /usr/lib/libc.so.6
    [Current thread is 1 (Thread 0x7fdbd543ecc0 (LWP 3477))]
    (gdb) bt
    #0  0x00007fdbdeac1b5f in raise () at /usr/lib/libc.so.6
    #1  0x00007fdbdeaac452 in abort () at /usr/lib/libc.so.6
    #2  0x00007fdbdbf787fc in  () at /usr/lib/libQt5Core.so.5
    #3  0x00007fdbdc50cbda in QGuiApplicationPrivate::createPlatformIntegration() () at /usr/lib/libQt5Gui.so.5
    #4  0x00007fdbdc50d09e in QGuiApplicationPrivate::createEventDispatcher() () at /usr/lib/libQt5Gui.so.5
    #5  0x00007fdbdc170f15 in QCoreApplicationPrivate::init() () at /usr/lib/libQt5Core.so.5
    #6  0x00007fdbdc50e2c0 in QGuiApplicationPrivate::init() () at /usr/lib/libQt5Gui.so.5
    #7  0x00007fdbdcae7b9a in QApplicationPrivate::init() () at /usr/lib/libQt5Widgets.so.5
    #8  0x0000560509e3b92e in  ()
    #9  0x00007fdbdeaae003 in __libc_start_main () at /usr/lib/libc.so.6
    #10 0x0000560509e3c83a in _start ()
    


  • @krey said in Qt doesn't work in my ArchLinux docker:

    lximage-qt is just a random app

    Could it be possible you have a Qt version mismatch from the machine you built the app to the Qt version in the Docker image you want to run it ?

    How you deploy your Qt app into the Docker image?

    Your issue looks to me similar to this post.



  • Same happened to me with Arch Linux from May, before everything worked fined.
    Changed the base image to Fedora 28 a couple of days ago, and I can reproduce the same issue.
    The problem is consistent and doesn't depend on the base image, it's either a Docker or Qt issue.



  • I'm experiencing the same issue with Ubuntu 16.04 and 18.04 (docker base image: nvidia/opengl:1.0-glvnd-devel-ubuntu(16.04|18.04)). I've excluded multiple possible causes: missing file permissions, actual out-of-memory and docker storage drivers (I tried overlay2 and aufs).

    It seems that the piece of code that causes the error is a fallback mechanism and was added in Qt 5.9.5 or 5.9.6. Unfortunately, I haven't gotten my project to work with 5.9.4, but using that version might be a temporary workaround. Nonetheless, it's interesting to see why this specific error is thrown: Qt fails to map the entire file into memory, but succeeds mapping the first byte, therefore assuming an out-of-memory situation. It's unlikely, but perhaps a file system mechanic of Docker messes this up.



  • The issue seems to be specific to recent QT5 in docker. QT5 images based on debian stretch run well, but not on debian buster images.
    A quick and dirty fix is to run with option --privileged.
    I tried to track down the issue with less permissive options (e.g. --cap-add=ALL or --ipc=host), but with no success so far.



  • @mviereck Thank you, using docker run --privileged also fixed the problem for me. Do you have any idea what the actual problem is?



  • Thank you, using docker run --privileged also fixed the problem for me.

    --privileged is good for debugging, but a no-go for regular use. It gives the container far to much access to host.

    Do you have any idea what the actual problem is?

    Not exactly, but I could trace down a bit: Instead of --privileged, option --security-opt seccomp=unconfined is enough to fix the issue.
    Now I have to research what --security-opt seccomp=unconfined exactly does.

    docker documentation lists some syscalls that are blocked by default seccomp profile:
    https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile

    QT5 needs one of those syscalls although it should not. I consider that a QT5 bug.

    If I understand it right: Many blocked syscalls can also be enabled with option --cap-add. As --cap-add=ALL does not succeed, it may be one of the syscalls that are not covered with --cap-add=ALL. Though, I am not sure at this point.

    An attempt to trace down further would be to set up a custom seccomp profile.
    Whitelisting the currently disabled syscalls one by one until the one is found that is needed is a possible way to go.


  • Moderators

    @mviereck I would report it as a bug and see what the Qt devs say about it.

    https://wiki.qt.io/Reporting_Bugs



  • I would report it as a bug and see what the Qt devs say about it.

    Done, bug report is here: https://bugreports.qt.io/browse/QTBUG-70447

    @all: Please click "Vote for this issue" to confirm the bug and to get attention from developers.



  • ok, it turns out to be an issue with statx syscall. It is already whitelisted in recent docker versions, but did not reach the distributions yet. It is fixed in docker-ce 18.06, but not in 18.03.

    This PR added statx to docker seccomp whitelist: https://github.com/moby/moby/pull/36417
    Related SO thread: https://stackoverflow.com/questions/48995826/which-capabilities-are-needed-for-statx-to-stop-giving-eperm

    Possible solutions for docker versions before 18.06:



  • @mviereck I've been using Docker 18.06 (docker --version: 18.06.1-ce, build e68fc7a) all along and run, as described in my previous posts, into the same issues. Running docker with the provided seccomp file also results in the same error. Only --security-opt seccomp=unconfined works for me at the moment. Have you had success using the seccomp file or updating to 18.06?

    BTW: Docker 18.06 is already available as a stable release for nearly 2 months (three weeks for the .1 version), but the official website (including the documentation) has not been updated yet to reflect that - perhaps because the release has only a 4-month support lifetime.

    EDIT: Here's my minimal Dockerfile for reproducing the error. If successful, the docker logs show QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root', if it fails, the docker logs show the known error This application failed to start because no Qt platform plugin could be initialized.



  • Have you had success using the seccomp file or updating to 18.06?

    @emberflare At first I succeeded with 18.03 and the downloaded seccomp profile file. Afterwards I made an upgrade to 18.06 and did not need the seccomp profile file anymore.

    I gave an example calibre Dockerfile in the bugreport that I used for test runs. Can you check whether that one succeeds on your system?

    Another possible check: run with --cap-add=ALL.

    Next check: Add to your seccomp profile whitelist syscalls not covered by --cap-add=ALL:

    "add_key","get_kernel_syms","keyctl","move_pages","nfsservctl","perf_event_open","personality","query_module","request_key","sysfs","_sysctl","uselib","userfaultfd","ustat",
    

    Here's my minimal Dockerfile for reproducing the error.

    It succeeds here with Docker version 18.06.1-ce, build e68fc7a and output QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'.



  • @mviereck said in Qt doesn't work in my ArchLinux docker:

    I gave an example calibre Dockerfile in the bugreport that I used for test runs. Can you check whether that one succeeds on your system?

    Running that image fails for me with the usual error: Could not find the Qt platform plugin "xcb" in "".

    Another possible check: run with --cap-add=ALL.

    This fails with my minimal Dockerfile, and with your calibre Dockerfile.

    Next check: Add to your seccomp profile whitelist syscalls not covered by --cap-add=ALL:

    This fails with my minimal Dockerfile, and with your calibre Dockerfile.

    Here's my minimal Dockerfile for reproducing the error.

    It succeeds here with Docker version 18.06.1-ce, build e68fc7a and output QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'.

    That is very strange. Perhaps my Docker installation is corrupted or my host is somehow incapable of applying seccomp configurations. In one of the PRs linked to this problem, somebody mentions a host dependency for seccomps, but it seems unlikely that they are missing on ubuntu 18.04.

    I'll reinstall Docker and report back with the results.

    EDIT: Same results with reinstalled docker. I'm looking into seccomp dependencies now.



  • @emberflare Maybe different kernel versions make a difference. Here:

    $ uname -a
    Linux buster 4.17.0-3-amd64 #1 SMP Debian 4.17.17-1 (2018-08-18) x86_64 GNU/Linux
    

    I'll reinstall Docker and report back with the results.

    Make sure you don't have package docker.io installed. It interferes with docker-ce. Also there may be an old docker config file somewhere around that messes up your setup. Maybe purge-deinstall docker-ce, than install docker.io, purge it, too, than install docker-ce again. That hopefully removes all config files.

    somebody mentions a host dependency for seccomps

    Afaik the kernel can be compiled to support seccomp or not. If it does not support it, there should be no restriction.



  • @mviereck

    @emberflare Maybe different kernel versions make a difference. Here:

    $ uname -a
    Linux buster 4.17.0-3-amd64 #1 SMP Debian 4.17.17-1 (2018-08-18) x86_64 GNU/Linux
    

    My host is a Google Cloud instance, with a seemingly custom compiled kernel (gcp suffix):

    $ uname -a
    Linux gpu-instance-1 4.15.0-1018-gcp #19~16.04.2-Ubuntu SMP Mon Aug 20 13:39:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
    

    Perhaps the problem lies in that kernel, but as you mentioned, it should either be compiled to support seccomp or not, and theoretically work in both cases. Could a kernel update help?

    I'll reinstall Docker and report back with the results.

    purge-deinstall docker-ce, than install docker.io, purge it, too, than install docker-ce again

    Good idea, I tried this, but still the same error.



  • @emberflare

    I found an interesting documentation about seccomp and docker: https://github.com/docker/labs/tree/master/security/seccomp

    It may be worth a try to check which syscalls your qt app is using and whether one is missing in the seccomp whitelist.
    Install strace in image, run it interactive -it with bash and try:

    strace -c -f -S name /opt/qt511/bin/qmlplugindump 2>&1 1>/dev/null | tail -n +3 | head -n -2 | awk '{print $(NF)}'
    

    strace probably needs --cap-add SYS_PTRACE. If in doubt, try --cap-add=ALL.

    This blog post may help, too: https://blog.jessfraz.com/post/how-to-use-new-docker-seccomp-profiles/

    I did not check all that above yet, I will look closer at this later.



  • @mviereck Thanks for the command! The syscalls used by my application are the following:

    access, arch_prctl, brk, close, connect, execve, fstat, futex, getcwd, getdents, geteuid, getpid, getrandom, getuid, lseek, lstat, mmap, mprotect, munmap, openat, prlimit64, read, readlink, rt_sigaction, rt_sigprocmask, set_robust_list, set_tid_address, socket, stat, statx, write
    

    From what I can tell, all of these are allowed by the default seccomp profile of Docker 18.06, only the rule for arch_prctl is listed separately. I also verified that Docker has no problems accessing the seccomp file, which could've been a cause for my problem.

    Perhaps I should do a kernel update, as it currently is my last idea to fix this issue (without using --security-opt seccomp=unconfined).


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.