Workaround for running ubuntu:21.10, fedora:35, and other glibc >= 2.34 distros on Docker <= 20.10.9

clone3-workaround: Workaround for running ubuntu:21.10, fedora:35, and other glibc >= 2.34 distros on Docker <= 20.10.9

Old container engines such as Docker <= 20.10.9 cannot run glibc >= 2.34 images such as ubuntu:21.10 and fedora:35:

$ docker run -it  --rm ubuntu:21.10
root@862f014171b5:/# apt-get update
Get:1 http://security.ubuntu.com/ubuntu impish-security InRelease [90.7 kB]
Get:2 http://archive.ubuntu.com/ubuntu impish InRelease [270 kB]
Get:3 http://security.ubuntu.com/ubuntu impish-security/main amd64 Packages [620 B]
Get:4 http://archive.ubuntu.com/ubuntu impish-updates InRelease [90.7 kB]
Get:5 http://archive.ubuntu.com/ubuntu impish-backports InRelease [90.7 kB]
Get:6 http://archive.ubuntu.com/ubuntu impish/universe amd64 Packages [16.7 MB]
Get:7 http://archive.ubuntu.com/ubuntu impish/restricted amd64 Packages [110 kB]
Get:8 http://archive.ubuntu.com/ubuntu impish/main amd64 Packages [1793 kB]
Get:9 http://archive.ubuntu.com/ubuntu impish/multiverse amd64 Packages [256 kB]
Get:10 http://archive.ubuntu.com/ubuntu impish-updates/main amd64 Packages [620 B]
Fetched 19.4 MB in 7s (2893 kB/s)
Reading package lists... Done
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
$ docker run -it --rm fedora:35 dnf update
[root@849f3703c4b5 /]# dnf install -y hello
Fedora 35 - x86_64                                                                                                                                                                                 0.0  B/s |   0  B     00:00
Errors during downloading metadata for repository 'fedora':
  - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-35&arch=x86_64 [getaddrinfo() thread failed to start]
Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-35&arch=x86_64 [getaddrinfo() thread failed to start]

clone3-workaround provides a workaround for this issue, by loading an additional seccomp profile that hides clone3(2) syscall from glibc, so that the clone() wrapper of glibc works in the legacy-compatible mode.

No need to upgrade Docker. No need to specify custom docker run --security-opt flags.

Target container engines

clone3-workaround should be useful for the following containe engines.

Newer container engines DO NOT need clone3-workaround.

Also note that some distributor vendors have already cherry-picked the Docker 20.10.10 patch to older versions. e.g., docker.io/20.10.7-0ubuntu5~20.04.1 DO NOT need clone3-workaround, although its version number is smaller than 20.10.10.

Install

Pre-built binary is available at https://github.com/AkihiroSuda/clone3-workaround/releases .

To build clone3-workaround from the source, run make.

Build dependencies:

  • Go
  • libseccomp-dev

Usage

docker run

Mount or copy clone3-workaround to the container, and run clone3-workaround COMMAND [ARGUMENTS...] to run the command with the workaround.

Example: Ubuntu 21.10

$ docker run -it --rm -v $(pwd)/clone3-workaround:/clone3-workaround ubuntu:21.10 /clone3-workaround bash
root@490fd2f29a88:/# apt-get update
Get:1 http://security.ubuntu.com/ubuntu impish-security InRelease [90.7 kB]
...
Fetched 19.4 MB in 6s (2996 kB/s)
Reading package lists... Done

root@490fd2f29a88:/# apt-get install -y hello
Reading package lists... Done
...
Unpacking hello (2.10-2ubuntu3) ...
Setting up hello (2.10-2ubuntu3) ...

Example: Fedora 35

$ docker run -it --rm -v $(pwd)/clone3-workaround:/clone3-workaround fedora:35 /clone3-workaround bash
[root@c699df1e7bd4 /]# dnf install -y hello
Fedora 35 - x86_64                                                                                                                                                                                 6.5 MB/s |  61 MB     00:09
...
Installed:
  hello-2.10-6.fc35.x86_64                                                                                          info-6.8-2.fc35.x86_64

Complete!

docker build

Copy the clone3-workaround binary to the image, and specify SHELL ["/clone3-workaround","/bin/sh", "-c"] in the Dockerfile.

Example: Ubuntu 21.10

FROM ubuntu:21.10
ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /clone3-workaround
RUN chmod 755 /clone3-workaround
SHELL ["/clone3-workaround","/bin/sh", "-c"]
RUN apt-get update && apt-get install -y hello

Example: Fedora 35

FROM fedora:35
ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /clone3-workaround
RUN chmod 755 /clone3-workaround
SHELL ["/clone3-workaround","/bin/sh", "-c"]
RUN dnf install -y hello
Owner
Akihiro Suda
A maintainer of Moby(dockerd), BuildKit, containerd, and runc.
Akihiro Suda
https://github.com/AkihiroSuda/clone3-workaround https://medium.com/nttlabs/ubuntu-21-10-and-fedora-35-do-not-work-on-docker-20-10-9-1cd439d9921
Similar Resources

Search running process for a given dll/function. Exposes a bufio.Scanner-like interface for walking a process' PEB

Search running process for a given dll/function. Exposes a bufio.Scanner-like interface for walking a process' PEB

Apr 21, 2022

Unik is a Go module for running Go programs as unikernels, without an underlying operating system

Unik is a Go module for running Go programs as unikernels, without an underlying operating system. The included demo is a functional Gio GUI prog

Oct 21, 2022

Start of a project that would let people stay informed about safe running spaces in their area.

SafeRun Start of a project that would let people stay informed about safe running spaces in their area. Too many people I'm friends with feel unsafe w

Feb 11, 2022

With Docker and Go, Mysql, Redis, Selenium.

golang-app Go, Mysql, Redis, Selenium. To run locally Have docker & docker-compose installed on your operating system. cp .env.example .env && docker-

Aug 31, 2022

Docker CE

Docker CE ⚠️ This repository is now deprecated and will be archived ⚠️ Starting with the Docker 20.10 release, packages for the Docker Engine and Dock

Jan 6, 2023

Gorsair hacks its way into remote docker containers that expose their APIs

Gorsair hacks its way into remote docker containers that expose their APIs

Gorsair Gorsair is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers. Once it has access

Dec 31, 2022

TUI Client for Docker

TUI Client for Docker

docui - TUI Client for Docker Written in Go About docui docui is a TUI Client for Docker. It can do the following: image search/pull/remove save/impor

Dec 28, 2022

Experimental code execution microservice based on Docker containers.

Experimental code execution microservice based on Docker containers.

ranna ランナー - Experimental code runner microservice based on Docker containers. ⚠ PLEASE READ BEFORE USE First of all, this project is currently work i

Dec 9, 2022

Generate random, pronounceable, sometimes even memorable, "superhero like" codenames - just like Docker does with container names.

Codename an RFC1178 implementation to generate pronounceable, sometimes even memorable, "superheroe like" codenames, consisting of a random combinatio

Dec 11, 2022
Related tags
Miscellaneous clone3-workaround
A simple Cron library for go that can execute closures or functions at varying intervals, from once a second to once a year on a specific date and time. Primarily for web applications and long running daemons.

Cron.go This is a simple library to handle scheduled tasks. Tasks can be run in a minimum delay of once a second--for which Cron isn't actually design

Dec 17, 2022
Gountries provides: Countries (ISO-3166-1), Country Subdivisions(ISO-3166-2), Currencies (ISO 4217), Geo Coordinates(ISO-6709) as well as translations, country borders and other stuff exposed as struct data.

gountries Inspired by the countries gem for ruby. Countries (ISO-3166-1), Country Subdivisions(ISO-3166-2), Currencies (ISO 4217), Geo Coordinates(ISO

Dec 22, 2022
go.pipeline is a utility library that imitates unix pipeline. It simplifies chaining unix commands (and other stuff) in Go.

go.pipeline go.pipeline is a utility library that imitates unix pipeline. It simplifies chaining unix commands (and other stuff) in Go. Installation g

May 8, 2022
Marquee for bar and other things.
 Marquee for bar and other things.

Marquee for bar and other things.

Oct 5, 2021
Databases and dashboards loved each other so much that databoard was born.

databoard Work in progress tool to create API endpoints that executes queries on connected database. ⚠ The project is on early-development stage. Plan

Nov 23, 2021
This example implements a basic example of how to create your own modules, and how to call them from other modules

This example implements a basic example of how to create your own modules, and how to call them from other modules. In addition, an example of how to do unit tests is developed.

Feb 1, 2022
jacobin - A more than minimal JVM written in Go and capable of running Java 11 bytecode.

This overview gives the background on this project, including its aspirations and the features that it supports. The remaining pages discuss the basics of JVM operation and, where applicable, how Jacobin implements the various steps, noting any items that would be of particular interest to JVM cognoscenti.

Dec 29, 2022
Alerts on due products from Grocy through emails or other means.

grocy-alerts Grocy alerts was made in an attempt to give more visibility to expiring soon products in Grocy. Usage Fetch products from grocy api and c

Dec 7, 2021
other glyph sets for high-dpi 1-bit monochrome

hd1b_other other glyph sets for high-dpi 1-bit monochrome Currently included glyph sets: Hangul (Korean): U+1100..U+11FF, U+3131..U+318E, U+AC00..U+D7

Aug 29, 2022
The VM for running Back

Backvm The VM for running Back Back is a Concurrent Forth implementation, have fun Building the only dependency for backvm is the Go compiler Backvm d

Dec 11, 2021