Skip to content

[docker image] set filter-syscalls = false in nix.conf to workaround missing seccomp BPF program in arm64 linux #2665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 5, 2025
Merged

[docker image] set filter-syscalls = false in nix.conf to workaround missing seccomp BPF program in arm64 linux #2665

merged 1 commit into from
Aug 5, 2025

Conversation

savil
Copy link
Collaborator

@savil savil commented Aug 5, 2025

Summary

The docker-image is failing to build in GHA:
https://github.com/jetify-com/devbox/actions/runs/16204700194/job/47358742840

The error indicates that the seccomp (secure computing mode) BPF (Berkeley Packet Filter) program that Nix tries to load is incompatible with the Docker container environment on ARM64.

When filter-syscalls = true (the default), Nix uses seccomp BPF to filter system calls for security sandboxing. Setting filter-syscalls = false disables Nix's syscall filtering, which bypasses the seccomp BPF program entirely and prevents the error.

This PR uses the approach from #1811 to fix this for arm64 platforms.

How was it tested?

docker build --platform linux/arm64 -t devbox-image-arm64 -f /Users/savil/code/jetpack/devbox/internal/devbox/generate/tmpl/DevboxImageDockerfile .
docker build --platform linux/arm64 -t devbox-image-arm64 -f /Users/savil/code/jetpack/devbox/internal/devbox/generate/tmpl/DevboxImageDockerfileRootUser .

BEFORE: these failed with the error seen in the GHA above
AFTER: build successfully

Also confirmed that --platform linux/amd64 would build successfully

Community Contribution License

All community contributions in this pull request are licensed to the project
maintainers under the terms of the
Apache 2 License.

By creating this pull request, I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 License as stated in
the
Community Contribution License.

@savil
[docker image] set filter-syscalls = false in nix.conf to workaround …
b05a69d 
…missing `seccomp BPF program` in arm64 linux
mohsenari
mohsenari approved these changes Aug 5, 2025
View reviewed changes
Copy link
Collaborator

@mohsenari mohsenari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for looking into this. Please build the image locally to make sure the build succeeds before merging.

@savil savil merged commit 3ec2038 into main Aug 5, 2025
34 checks passed
@savil savil deleted the savil/docker-image-fix-1 branch August 5, 2025 05:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mohsenari mohsenari mohsenari approved these changes

@gcurtis gcurtis Awaiting requested review from gcurtis

@ipince ipince Awaiting requested review from ipince

@mikeland73 mikeland73 Awaiting requested review from mikeland73

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@savil @mohsenari