tt crashes with "Operation is not permitted"

[olegrok]

I run tt inside docker and it crashes with following stacktrace

#16 0.400 + tt pack proj --version=1.2.3-3-ge556d347 --with-binaries --name myproj
#16 0.402 runtime/cgo: pthread_create failed: Operation not permitted
#16 0.405 SIGABRT: abort
#16 0.405 PC=0x10a6adc m=0 sigcode=18446744073709551610
#16 0.405 
#16 0.405 goroutine 0 [idle]:
#16 0.405 runtime: g 0: unknown pc 0x10a6adc
#16 0.405 stack: frame={sp:0x7ffcced7eb90, fp:0x0} stack=[0x7ffcce580140,0x7ffcced7f150)
#16 0.405 0x00007ffcced7ea90:  0x00007ffcced7eab0  0x0000000000471d78 <runtime.callCgoMmap+0x0000000000000038> 
#16 0.405 0x00007ffcced7eaa0:  0x00007ffcced7eaa0  0x0000000000114c10 
#16 0.405 0x00007ffcced7eab0:  0x00007ffcced7eaf0  0x00007ff993c77000 
#16 0.405 0x00007ffcced7eac0:  0x000000000040a0e0 <runtime.mmap.func1+0x0000000000000000>  0x00007ffcced7eab8 
#16 0.405 0x00007ffcced7ead0:  0x00007ff993c77000  0x0000000000001000 
#16 0.405 0x00007ffcced7eae0:  0x0000003200000003  0x00000000ffffffff 
#16 0.405 0x00007ffcced7eaf0:  0x00007ffcced7eb38  0x000000000041d253 <runtime.sysMapOS+0x0000000000000033> 
#16 0.405 0x00007ffcced7eb00:  0x00007ffcced7eb38  0x0000000000000000 
#16 0.405 0x00007ffcced7eb10:  0x00007ff9819e2000  0x0000000000dd6757 
#16 0.405 0x00007ffcced7eb20:  0xffffffff00000000  0x0000000300000022 
#16 0.405 0x00007ffcced7eb30:  0x0000000000100000  0x0000000000000000 
#16 0.405 0x00007ffcced7eb40:  0x0000000000000120  0x00000012818e2000 
#16 0.405 0x00007ffcced7eb50:  0x0000000001142c50  0x000000001c000004 
#16 0.405 0x00007ffcced7eb60:  0x0000000000000110  0x0000000000000000 
#16 0.405 0x00007ffcced7eb70:  0x000080c00008ffff  0x000080c000088000 
#16 0.405 0x00007ffcced7eb80:  0x0000000000000004  0x00000000010a6ace 
#16 0.405 0x00007ffcced7eb90: <0x0000000000000000  0x0000000000000000 
#16 0.405 0x00007ffcced7eba0:  0x0000000000000000  0x000000770000007c 
#16 0.405 0x00007ffcced7ebb0:  0x0000005b0000006e  0x0000000000002000 
#16 0.405 0x00007ffcced7ebc0:  0x0000000000000004  0x00000000010f4111 
#16 0.405 0x00007ffcced7ebd0:  0x00007ff9818c1640  0x00007ffcced7efb0 
#16 0.405 0x00007ffcced7ebe0:  0x00007ffcced7ed1e  0x00007ffcced7ed1f 
#16 0.405 0x00007ffcced7ebf0:  0x0000000000000000  0x00000000010a4e19 
#16 0.405 0x00007ffcced7ec00:  0x0000000000800280 <github.com/tarantool/go-tarantool.encodeSQLBind+0x00000000000001a0>  0x0000000000000000 
#16 0.406 0x00007ffcced7ec10:  0x00000000003d0f00  0x6d2d08af2e089700 
#16 0.406 0x00007ffcced7ec20:  0x00000000028383c0  0x0000000000000006 
#16 0.406 0x00007ffcced7ec30:  0x0000000000000001  0x0000000000000000 
#16 0.406 0x00007ffcced7ec40:  0x0000000001efa460  0x0000000001086de6 
#16 0.406 0x00007ffcced7ec50:  0x0000000001f2da30  0x000000000040f 
#16 0.406 0x00007ffcced7ec60:  0x0000000000000020  0x6d2d08af2e089700 
#16 0.406 0x00007ffcced7ec70:  0x00007ffcced7ed60  0x00007ff9818c1640 
#16 0.406 0x00007ffcced7ec80:  0x0000000000000000  0x00007ffcced7efb0 
#16 0.406 runtime: g 0: unknown pc 0x10a6adc
#16 0.406 stack: frame={sp:0x7ffcced7eb90, fp:0x0} stack=[0x7ffcce580140,0x7ffcced7f150)
#16 0.406 0x00007ffcced7ea90:  0x00007ffcced7eab0  0x0000000000471d78 <runtime.callCgoMmap+0x0000000000000038> 
#16 0.406 0x00007ffcced7eaa0:  0x00007ffcced7eaa0  0x0000000000114c10 
#16 0.406 0x00007ffcced7eab0:  0x00007ffcced7eaf0  0x00007ff993c77000 
#16 0.406 0x00007ffcced7eac0:  0x000000000040a0e0 <runtime.mmap.func1+0x0000000000000000>  0x00007ffcced7eab8 
#16 0.406 0x00007ffcced7ead0:  0x00007ff993c77000  0x0000000000001000 
#16 0.406 0x00007ffcced7eae0:  0x0000003200000003  0x00000000ffffffff 
#16 0.406 0x00007ffcced7eaf0:  0x00007ffcced7eb38  0x000000000041d253 <runtime.sysMapOS+0x0000000000000033> 
#16 0.406 0x00007ffcced7eb00:  0x00007ffcced7eb38  0x0000000000000000 
#16 0.406 0x00007ffcced7eb10:  0x00007ff9819e2000  0x0000000000dd6757 
#16 0.406 0x00007ffcced7eb20:  0xffffffff00000000  0x0000000300000022 
#16 0.406 0x00007ffcced7eb30:  0x0000000000100000  0x0000000000000000 
#16 0.406 0x00007ffcced7eb40:  0x0000000000000120  0x00000012818e2000 
#16 0.406 0x00007ffcced7eb50:  0x0000000001142c50  0x000000001c000004 
#16 0.406 0x00007ffcced7eb60:  0x0000000000000110  0x0000000000000000 
#16 0.406 0x00007ffcced7eb70:  0x000080c00008ffff  0x000080c000088000 
#16 0.406 0x00007ffcced7eb80:  0x0000000000000004  0x00000000010a6ace 
#16 0.406 0x00007ffcced7eb90: <0x0000000000000000  0x0000000000000000 
#16 0.406 0x00007ffcced7eba0:  0x0000000000000000  0x000000770000007c 
#16 0.406 0x00007ffcced7ebb0:  0x0000005b0000006e  0x0000000000002000 
#16 0.406 0x00007ffcced7ebc0:  0x0000000000000004  0x00000000010f4111 
#16 0.406 0x00007ffcced7ebd0:  0x00007ff9818c1640  0x00007ffcced7efb0 
#16 0.406 0x00007ffcced7ebe0:  0x00007ffcced7ed1e  0x00007ffcced7ed1f 
#16 0.406 0x00007ffcced7ebf0:  0x0000000000000000  0x00000000010a4e19 
#16 0.406 0x00007ffcced7ec00:  0x0000000000800280 <github.com/tarantool/go-tarantool.encodeSQLBind+0x00000000000001a0>  0x0000000000000000 
#16 0.406 0x00007ffcced7ec10:  0x00000000003d0f00  0x6d2d08af2e089700 
#16 0.406 0x00007ffcced7ec20:  0x00000000028383c0  0x0000000000000006 
#16 0.406 0x00007ffcced7ec30:  0x0000000000000001  0x0000000000000000 
#16 0.406 0x00007ffcced7ec40:  0x0000000001efa460  0x0000000001086de6 
#16 0.406 0x00007ffcced7ec50:  0x0000000001f2da30  0x000000000040223f 
#16 0.406 0x00007ffcced7ec60:  0x0000000000000020  0x6d2d08af2e089700 
#16 0.406 0x00007ffcced7ec70:  0x00007ffcced7ed60  0x00007ff9818c1640 
#16 0.406 0x00007ffcced7ec80:  0x0000000000000000  0x00007ffcced7efb0 
#16 0.406 
#16 0.406 goroutine 1 [running]:
#16 0.406 runtime.systemstack_switch()
#16 0.406 	/__w/_tool/go/1.21.4/x64/src/runtime/asm_amd64.s:474 +0x8 fp=0xc00006c740 sp=0xc00006c730 pc=0x46e088
#16 0.406 runtime.main()
#16 0.406 	/__w/_tool/go/1.21.4/x64/src/runtime/proc.go:169 +0x6d fp=0xc00006c7e0 sp=0xc00006c740 pc=0x43f46d
#16 0.406 runtime.goexit()
#16 0.406 	/__w/_tool/go/1.21.4/x64/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00006c7e8 sp=0xc00006c7e0 pc=0x470061
#16 0.406 
#16 0.406 rax    0x0
#16 0.406 rbx    0x28383c0
#16 0.406 rcx    0xffffffffffffffff
#16 0.406 rdx    0x6
#16 0.406 rdi    0x11
#16 0.406 rsi    0x11
#16 0.406 rbp    0x11
#16 0.406 rsp    0x7ffcced7eb90
#16 0.406 r8     0x7ffcced7ec60
#16 0.406 r9     0x0
#16 0.406 r10    0x8
#16 0.406 r11    0x5
#16 0.406 r12    0x6
#16 0.406 r13    0x16
#16 0.406 r14    0x1efa460
#16 0.406 r15    0x6
#16 0.406 rip    0x10a6adc
#16 0.406 rflags 0x246
#16 0.406 cs     0x33
#16 0.406 fs     0x0
#16 0.406 gs     0x0
#16 0.406 r11    0x246
#16 0.406 r12    0x6
#16 0.406 r13    0x16
#16 0.406 r14    0x1efa460
#16 0.406 r15    0x6
#16 0.406 rip    0x10a6adc
#16 0.406 rflags 0x246
#16 0.406 cs     0x33
#16 0.406 fs     0x0
#16 0.406 gs     0x0

[oleg-jukovec]

actions/runner-images#3812

It seems like not the tt problem, but the build environment problem. It could be fixed in that way: https://github.com/mpv-player/mpv/pull/9264/files
or by using a latest docker version on a runner.

[olegrok]

It seems like not the tt problem, but the build environment problem.

Why does it work for cartridge-cli then?

It could be fixed in that way: https://github.com/mpv-player/mpv/pull/9264/files

It can't be easily controlled by me (I don't have an access to the runner).
And it looks really insecure to use docker options.

I cite https://docs.docker.com/engine/security/seccomp/:

Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.

That's exactly that we require from docker. And we shouldn't disable it in untrusted environments.

[oleg-jukovec]

It seems like not the tt problem, but the build environment problem.

Why does it work for cartridge-cli then?

I'll guess that the cartridge-cli compiled with CGO_ENABLED=0 unlike the tt. The problem requires more thorough investigation.

I just noticed that this can be quick-fixed with a some temporary workaround at the moment.