docker4mac linuxkit has a different seed than linuxkit docker image

[yashbhutwala]

• I have tried with the latest version of my channel (Stable)

Expected behavior

docker4mac linuxkit has same seed as linuxkit docker image

Actual behavior

docker4mac linuxkit has different seed than the linuxkit docker image. This means RANDSTRUCT is different and does not allow the modules built via the docker image to be inserted.

See falco linuxkit issue

Information

• macOS Version: Darwin bhutwala-mac 18.7.0 Darwin Kernel Version 18.7.0: Thu Jan 23 06:52:12 PST 2020; root:xnu-4903.278.25~1/RELEASE_X86_64 x86_64

Diagnostic logs

Docker for Mac: version...
Version:           19.03.8
 API version:       1.40
 Go version:        go1.12.17
 Git commit:        afacb8b
 Built:             Wed Mar 11 01:21:11 2020
 OS/Arch:           darwin/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.8
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.17
  Git commit:       afacb8b
  Built:            Wed Mar 11 01:29:16 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683
>
>
>
> docker info
Client:
 Debug Mode: false

Server:
 Containers: 2
  Running: 0
  Paused: 0
  Stopped: 2
 Images: 700
 Server Version: 19.03.8
 Storage Driver: overlay2
  Backing Filesystem: <unknown>
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.19.76-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.778GiB
 Name: docker-desktop
 ID: M7EH:4NF5:56E7:LAHX:6PFD:VTVF:IGCK:X45A:N4DH:REXS:2MSX:2KRE
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 34
  Goroutines: 51
  System Time: 2020-03-23T11:41:39.8167431Z
  EventsListeners: 3
 HTTP Proxy: gateway.docker.internal:3128
 HTTPS Proxy: gateway.docker.internal:3129
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Registry Mirrors:
  https://artifactory.internal.synopsys.com:5002/
  https://defensics-store.internal.synopsys.com:5004/
 Live Restore Enabled: false
 Product License: Community Engine

Steps to reproduce the behavior

1. docker run -it --privileged --pid=host --net=host ubuntu nsenter -t 1 -m -u -n -i bash
2. cat include/generated/randomize_layout_hash.h
3. cat scripts/gcc-plugins/randomize_layout_seed.h

[djs55]

Thanks for your report. We ended up making a couple of FUSE and virtio-blk backports to 4.19. In the future I'm hoping to get back on to the vanilla linuxkit 5.4 images but in the meantime for the current stable 2.2.0.* releases the kernel is described in this comment -- let me know if this unblocks you for now.

I think we need to better document exactly which kernel we're using for each release. Perhaps we should link to the Docker hub image in the release note? Let me know what you think about that. Perhaps also we should fix the seed in the build (if it's mainly the seed that's the problem).

Sorry for the inconvenience this caused!

[yashbhutwala]

Awesome, thanks @djs55 for that link! I agree with you, perhaps we can turn this issue into two action items 😃

• document/link kernel versions and Docker Hub images in release notes
• fix seed in kernel build

[leodido]

For now, just having a mapping between kernel <-> docker images shipping the correct seed to use, would be enough imho :)

[docker-robott]

Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30 days of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked