How to fix the "Failed to close file descriptor for child process (Operation not permitted)" in your docker ci build
First off, I'm not a docker expert by any means. I just wanted my CI pipeline to work and went down the habbit hole. The solution I present can cause some security implications, be aware.
The problem is caused by a seccomp policy and a glibc >= 2.34 update that returns an EPERM (operation not permitted) insted of ENOSYS (function not implemented).
Run your container with --security-opt seccomp=unconfined.
Example from Docker:
docker run --rm -it --security-opt seccomp=unconfined debian:jessie
- gspawn: Report errors with closing file descriptors between fork/exec
- Seccomp security profiles for Docker
- Build will fail when docker has glibc2.35 and glib2.72+
- Things encountered while building nixpkgs 22.05
- Getting error "Error Launching startup command: Failed to..."
- seccomp: add support for "clone3" syscall in default policy #42681
- gspawn doesn't set CLOEXEC if close_range fails unexpectedly
- 2. Error Codes (The GNU C Library)