Skip to content

Commit ee8f9ea

Browse files
committed
update documentation to mention that x86 containers can, in rare cases, be affected by the personality-related error
- I have discovered that it is possible to construct a convoluted situation in which a purely 64-bit x86 container running on a purely 64-bit x86 device can also be affected by the `personality`-related error, and that the `custom-docker-with-unrestricted-personality.patch` is also capable of preventing the error in that rare situation. Contact me if you would like to learn the steps to reproduce that situation.
1 parent 9cc2828 commit ee8f9ea

File tree

2 files changed

+6
-3
lines changed

2 files changed

+6
-3
lines changed

README.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -49,8 +49,9 @@ command:
4949
docker run --rm --privileged aptman/qus -s -- -p aarch64 arm
5050
```
5151

52-
Note that AArch64 and ARM containers sometimes work properly only in privileged
53-
mode, even on some real ARM devices. If you want your containers to have standard privileges, a custom
52+
Note that AArch64 and ARM containers (and in certain rare situations, some x86 containers)
53+
sometimes work properly only in privileged mode, even on some real ARM devices.
54+
If you want your containers to have standard privileges, a custom
5455
seccomp profile or a custom build of Docker might be required. The custom build
5556
of Docker limits the customizations to purely what is necessary for
5657
the `personality()` system call, leaving the security settings of all other system
@@ -134,7 +135,8 @@ Podman:
134135

135136
There a number of known issues which may not be resolved:
136137

137-
* ARM containers might require a custom seccomp profile or custom build of Docker to remove restrictions from the
138+
* ARM containers (and in certain rare situations, some x86 containers)
139+
might require a custom seccomp profile or custom build of Docker to remove restrictions from the
138140
`personality()` system call.
139141

140142
* When running certain multi threaded program in 32bit containers, the PIDs can

custom-docker-with-unrestricted-personality.patch

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
This removes all restrictions from the personality() system call from within Docker, and
22
is only necessary on some specific devices, including some ARM devices but not all ARM devices,
3+
and including some x86 devices in some rare situations but not all situations,
34
and only when the --privileged and --security-opt arguments are either not working or not desired,
45
which sometimes happens. This patch is designed for the docker.io package version 26.1.5 in
56
Debian trixie: https://packages.debian.org/trixie/docker.io, but also works when rebased on other

0 commit comments

Comments
 (0)