[do not merge] debug seccomp-related issues on armhf (arm32v7)

Jenkinsfile

@@ -6,23 +6,7 @@
 // This list is ordered by Distro (alphabetically), and release (chronologically).
 // When adding a distro here, also open a pull request in the release repository.
 def images = [
-    [image: "amazonlinux:2",                  arches: ["aarch64"]],
-    [image: "centos:7",                       arches: ["amd64", "aarch64", "armhf"]],
-    [image: "centos:8",                       arches: ["amd64", "aarch64"]],          // Note: armhf (arm32) images are currently not available on Docker Hub
-    [image: "debian:stretch",                 arches: ["amd64", "aarch64", "armhf"]], // Debian 9  (EOL: June, 2022)
-    [image: "debian:buster",                  arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024)
-    [image: "fedora:29",                      arches: ["amd64", "aarch64"]],
-    [image: "fedora:30",                      arches: ["amd64", "aarch64"]],
-    [image: "fedora:31",                      arches: ["amd64", "aarch64"]],
-    [image: "fedora:latest",                  arches: ["amd64"]],
-    [image: "opensuse/leap:15",               arches: ["amd64"]],
-    [image: "balenalib/rpi-raspbian:stretch", arches: ["armhf"]],
-    [image: "balenalib/rpi-raspbian:buster",  arches: ["armhf"]],
-    [image: "ubuntu:xenial",                  arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 16.04 LTS (End of support: April, 2021. EOL: April, 2024)
-    [image: "ubuntu:bionic",                  arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028)
-    [image: "ubuntu:disco",                   arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 19.03  (EOL: January, 2020)
-    [image: "ubuntu:eoan",                    arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 19.10  (EOL: July, 2020)
-    [image: "ubuntu:focal",                   arches: ["amd64", "aarch64"]],          // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030)
+    [image: "ubuntu:focal",                   arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030)
 ]
 
 def generatePackageStep(opts, arch) {
@@ -32,15 +16,40 @@ def generatePackageStep(opts, arch) {
                 try {
                     sh 'docker version'
                     sh 'docker info'
+                    sh 'apt list libseccomp2 -a'
                     sh '''
                     curl -fsSL "https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh" | bash || true
                     '''
-                    sh("docker pull ${opts.image}")
                     checkout scm
+                    sh '''
+                    if [ "$(uname -p)" = "armv7l" ]; then
+                        echo "installing libseccomp2_2.4.3-0ubuntu2_armhf.deb"
+                        curl -fsSL https://launchpad.net/ubuntu/+archive/primary/+files/libseccomp2_2.4.3-0ubuntu2_armhf.deb > libseccomp2_2.4.3-0ubuntu2_armhf.deb
+
+                        sudo dpkg -i libseccomp2_2.4.3-0ubuntu2_armhf.deb
+
+                        rm libseccomp2_2.4.3-0ubuntu2_armhf.deb
+
+                        apt list libseccomp2 -a
+
+                        docker pull arm32v7/ubuntu:focal;
+
+                        echo "Minimal reproducer: this should pass (seccomp disabled)"
+                        docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=unconfined arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6';
+
+                        echo "Minimal reproducer: this should pass (updated seccomp profile)"
+                        docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=./default.json arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6';
+
+                        echo "Minimal reproducer: default seccomp profile"
+                        docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=./default.json arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6';
+                    fi
+                    '''
+                    sh("docker pull ${opts.image}")
                     sh("make BUILD_IMAGE=${opts.image} CREATE_ARCHIVE=1 clean build")
                     archiveArtifacts(artifacts: 'archive/*.tar.gz', onlyIfSuccessful: true)
                 } finally {
                     sh "sudo chmod -R 777 ."
+                    sh "sudo apt-get install -y --allow-downgrades libseccomp2=2.4.1-0ubuntu0.16.04.2"
                     deleteDir()
                 }
             }
@@ -54,38 +63,13 @@ def generatePackageSteps(opts) {
     }
 }
 
-def packageBuildSteps = [
-    "windows": { ->
-        node("windows-2019") {
-            stage("windows") {
-                try {
-                    checkout scm
-                    sh("git clone https://github.com/containerd/containerd containerd-src")
-                    def sanitized_workspace=env.WORKSPACE.replaceAll("\\\\", '/')
-                    // Replace windows path separators with unix style path
-                    sh("make CONTAINERD_DIR=${sanitized_workspace}/containerd-src -f Makefile.win archive")
-                } finally {
-                    deleteDir()
-                }
-            }
-        }
-    }
-]
+def packageBuildSteps = [:]
 
 packageBuildSteps << images.collectEntries { generatePackageSteps(it) }
 
 pipeline {
     agent none
     stages {
-        stage('Check file headers') {
-            agent { label 'linux&&amd64' }
-            steps{
-                script{
-                    checkout scm
-                    sh "make validate"
-                }
-            }
-        }
         stage('Build packages') {
             steps {
                 script {

Makefile

@@ -47,7 +47,7 @@ ifdef CREATE_ARCHIVE
 	VOLUME_MOUNTS+= -v "$(CURDIR)/archive:/archive"
 endif
 
-RUN=docker run --rm $(VOLUME_MOUNTS) -i $(ENV_VARS) $(BUILDER_IMAGE)
+RUN=docker run --security-opt seccomp=unconfined -e DEBIAN_FRONTEND=noninteractive --rm $(VOLUME_MOUNTS) -i $(ENV_VARS) $(BUILDER_IMAGE)
 CHOWN=docker run --rm -v $(CURDIR):/v -w /v alpine chown
 CHOWN_TO_USER=$(CHOWN) -R $(shell id -u):$(shell id -g)