Docker not built with seccomp

Thanks for the report, Lizzie. I've subscribed the Docker Ubuntu Maintainers so that they can have a look and comment.

I don't know much about /proc/<pid>/status, but I'm fairly certain we compile Docker with whatever seccomp support is available from upstream. Can you share the output of "docker info", especially the "Security Options" field?

Here's the version I have installed and 'docker info':

    ubuntu@ubuntu-yakkety:~$ dpkg -s docker.io
    Package: docker.io
    Status: install ok installed
    Priority: optional
    Section: admin
    Installed-Size: 77442
    Maintainer: Ubuntu Developers <email address hidden>
    Architecture: amd64
    Version: 1.12.1-0ubuntu15
    Replaces: docker (<< 1.5~)
    Depends: adduser, containerd (>= 0.2.3~), iptables, runc (>= 1.0.0~rc1~), init-system-helpers (>= 1.18~), libapparmor1 (>= 2.6~devel), libc6 (>= 2.14), libdevmapper1.02.1 (>= 2:1.02.97)
    Recommends: ca-certificates, cgroupfs-mount | cgroup-lite, git, ubuntu-fan, xz-utils, apparmor
    Suggests: aufs-tools, btrfs-tools, debootstrap, docker-doc, rinse, zfs-fuse | zfsutils
    Breaks: docker (<< 1.5~)
    Conffiles:
     /etc/default/docker 4ed438ab743c3abef1a1006fa57b05cd
     /etc/init.d/docker 73e254995b37e21ac3b63825a3b28704
     /etc/init/docker.conf 8ce66c020d5e129a177a87e0c504439c
    Description: Linux container runtime
     Docker complements kernel namespacing with a high-level API which operates at
     the process level. It runs unix processes with strong guarantees of isolation
     and repeatability across servers.
     .
     Docker is a great building block for automating distributed systems:
     large-scale web deployments, database clusters, continuous deployment systems,
     private PaaS, service-oriented architectures, etc.
     .
     This package contains the daemon and client. Using docker.io on non-amd64 hosts
     is not supported at this time. Please be careful when using it on anything
     besides amd64.
     .
     Also, note that kernel version 3.8 or above is required for proper operation of
     the daemon process, and that any lower versions may have subtle and/or glaring
     issues.
    Built-Using: glibc (= 2.24-3ubuntu1), golang-1.6 (= 1.6.3-1ubuntu1)
    Homepage: https://dockerproject.org
    Original-Maintainer: Paul Tagliamonte <email address hidden>
    ubuntu@ubuntu-yakkety:~$ docker info
    Cannot connect to the Docker daemon. Is the docker daemon running on this host?
    ubuntu@ubuntu-yakkety:~$ sudo docker info
    Containers: 0
     Running: 0
     Paused: 0
     Stopped: 0
    Images: 0
    Server Version: 1.12.1
    Storage Driver: overlay
     Backing Filesystem: extfs
    Logging Driver: json-file
    Cgroup Driver: cgroupfs
    Plugins:
     Volume: local
     Network: host bridge overlay null
    Swarm: inactive
    Runtimes: runc
    Default Runtime: runc
    Security Options: apparmor
    Kernel Version: 4.8.0-26-generic
    Operating System: Ubuntu 16.10
    OSType: linux
    Architecture: x86_64
    CPUs: 2
    Total Memory: 991.7 MiB
    Name: ubuntu-yakkety
    ID: G6JA:MD2U:CD45:5DC3:DFZ3:GUNY:IDH7:HYP5:C4J5:TOSZ:ZFE4:ZK6K
    Docker Root Dir: /var/lib/docker
    Debug Mode (client): false
    Debug Mode (server): false
    Registry: https://index.docker.io/v1/
    WARNING: No swap limit support
    Insecure Registries:
     127.0.0.0/8

Here's what happens if I try to specify a seccomp profile:

    ubuntu@ubuntu-yakkety:~$ curl -L -O https://raw.githubusercontent.com/docker/docker/master/profile...

Subscribing Jon Grimm. He's the Canonical Server Team manager and can help make sure this doesn't get lost! I'm just drive-by triaging, and this appeared in my triage report as I happen to also be in ~docker-maint.

Hello,

Do you have any more information?

Can you confirm whether this has been reproduced?

Do you know whether this is done intentionally?

Could this bug be opened, so I have a place to point others to when it comes up?

This is definitely a real issue, and it wasn't intentional -- I've got a fix in progress, but it needs to happen in both the runc and the docker.io packages.

Thanks for the update!

This bug was fixed in the package runc - 1.0.0~rc1-0ubuntu2

---------------
runc (1.0.0~rc1-0ubuntu2) zesty; urgency=medium

  [ Tianon Gravi ]
  * Enable seccomp support (LP: #1639407)

 -- Steve Langasek <email address hidden> Wed, 30 Nov 2016 12:31:01 -0800

This bug was fixed in the package docker.io - 1.12.3-0ubuntu4

---------------
docker.io (1.12.3-0ubuntu4) zesty; urgency=medium

  * Explicity depend on the version of runc that was built with seccomp
    support.

 -- Michael Hudson-Doyle <email address hidden> Mon, 12 Dec 2016 11:15:01 +1300

Hello Lizzie, or anyone else affected,

Accepted docker.io into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/1.12.3-0ubuntu4~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Lizzie, or anyone else affected,

Accepted runc into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc1-0ubuntu2~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Lizzie, or anyone else affected,

Accepted docker.io into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/1.12.3-0ubuntu4~16.10.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Lizzie, or anyone else affected,

Accepted docker.io into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/1.12.3-0ubuntu4~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Lizzie, or anyone else affected,

Accepted runc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc1-0ubuntu2~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

$ docker run -it ubuntu grep Seccomp /proc/self/status
Seccomp: 2

(I've run this on my xenial system and a yakkety vm)

This bug was fixed in the package runc - 1.0.0~rc1-0ubuntu2~16.04.1

---------------
runc (1.0.0~rc1-0ubuntu2~16.04.1) xenial; urgency=medium

  * Backport to Xenial. (LP: #1639407)

 -- Michael Hudson-Doyle <email address hidden> Thu, 15 Dec 2016 13:33:42 +1300

The verification of the Stable Release Update for runc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package runc - 1.0.0~rc1-0ubuntu2~16.10.1

---------------
runc (1.0.0~rc1-0ubuntu2~16.10.1) yakkety; urgency=medium

  * Backport to Yakkety. (LP: #1639407)

 -- Michael Hudson-Doyle <email address hidden> Thu, 15 Dec 2016 13:33:42 +1300

This bug was fixed in the package docker.io - 1.12.3-0ubuntu4~16.10.2

---------------
docker.io (1.12.3-0ubuntu4~16.10.2) yakkety; urgency=medium

  * Update runc dep to account for its backported version.

docker.io (1.12.3-0ubuntu4~16.10.1) yakkety; urgency=medium

  * Backport to Yakkety. (LP: #1647376, #1639407)

 -- Michael Hudson-Doyle <email address hidden> Mon, 19 Dec 2016 09:20:48 +1300

This bug was fixed in the package docker.io - 1.12.3-0ubuntu4~16.04.2

---------------
docker.io (1.12.3-0ubuntu4~16.04.2) xenial; urgency=medium

  * Update runc dep to account for its backported version.

 -- Michael Hudson-Doyle <email address hidden> Mon, 19 Dec 2016 09:20:48 +1300