diff --git a/apps/fedimint-clientd/manifest.yml b/apps/fedimint-clientd/manifest.yml index aba52999..73378311 100644 --- a/apps/fedimint-clientd/manifest.yml +++ b/apps/fedimint-clientd/manifest.yml @@ -42,6 +42,12 @@ app: # skip this whole manifest, so fmcd never ran and federations never joined.) # Lock down once the default federation's reachability model is finalized. network_policy: bridge + # fmcd's Mainline-DHT / iroh transport uses syscalls the default rootless + # seccomp profile blocks on some kernels (e.g. .116, kernel 6.12.74), where + # fmcd crash-loops "Operation not permitted (os error 1)" and never serves + # its REST API — so federations can't be joined (#7). Verified: with + # seccomp=unconfined fmcd boots and answers /v2/* (HTTP 401 vs dead 000). + seccomp_unconfined: true ports: # fmcd REST bound to 8080 in-container; 8080 collides with LND REST on the diff --git a/core/archipelago/src/container/quadlet.rs b/core/archipelago/src/container/quadlet.rs index 45ecfde7..0fc05c22 100644 --- a/core/archipelago/src/container/quadlet.rs +++ b/core/archipelago/src/container/quadlet.rs @@ -149,6 +149,9 @@ pub struct QuadletUnit { pub command: Vec, pub read_only_root: bool, pub no_new_privileges: bool, + /// Render `SeccompProfile=unconfined` — for daemons whose networking needs + /// syscalls the default rootless seccomp profile blocks (e.g. fmcd, #7). + pub seccomp_unconfined: bool, pub cpu_quota: Option, pub restart_policy: RestartPolicy, } @@ -252,6 +255,9 @@ impl QuadletUnit { if self.no_new_privileges { let _ = writeln!(s, "NoNewPrivileges=true"); } + if self.seccomp_unconfined { + let _ = writeln!(s, "SeccompProfile=unconfined"); + } if let Some(cpus) = self.cpu_quota { let _ = writeln!(s, "PodmanArgs=--cpus={cpus}"); } @@ -408,6 +414,7 @@ impl QuadletUnit { command: app.container.custom_args.clone(), read_only_root: app.security.readonly_root, no_new_privileges: app.security.no_new_privileges, + seccomp_unconfined: app.security.seccomp_unconfined, cpu_quota: app.resources.cpu_limit, restart_policy: RestartPolicy::OnFailure, } diff --git a/core/container/src/manifest.rs b/core/container/src/manifest.rs index 4b35e80f..4924cf8b 100644 --- a/core/container/src/manifest.rs +++ b/core/container/src/manifest.rs @@ -228,6 +228,13 @@ pub struct SecurityPolicy { pub network_policy: String, #[serde(default)] pub apparmor_profile: Option, + /// Run the container with `seccomp=unconfined`. Needed by daemons whose + /// networking uses syscalls blocked by the default rootless seccomp profile + /// on some kernels — e.g. fmcd's Mainline-DHT/iroh transport, which otherwise + /// crash-loops with "Operation not permitted (os error 1)" (#7). Opt-in only; + /// a mild relaxation, so reserve it for apps that genuinely need it. + #[serde(default)] + pub seccomp_unconfined: bool, } fn default_true() -> bool { diff --git a/core/container/src/podman_client.rs b/core/container/src/podman_client.rs index 35fcad36..8c75db86 100644 --- a/core/container/src/podman_client.rs +++ b/core/container/src/podman_client.rs @@ -384,6 +384,17 @@ impl PodmanClient { "nsmode": net_mode }, }); + // seccomp=unconfined for apps that need syscalls the default rootless + // profile blocks (e.g. fmcd's DHT) — libpod takes the literal "unconfined" + // as the profile path, mirroring `--security-opt seccomp=unconfined` (#7). + if manifest.app.security.seccomp_unconfined { + body.as_object_mut() + .expect("container create body is a JSON object") + .insert( + "seccomp_profile_path".to_string(), + serde_json::json!("unconfined"), + ); + } if let Some(network) = custom_network { body.as_object_mut() .expect("container create body is a JSON object")