Segmentation fault when running docker-compose

Question

I've been running into a tough issue I sort out.

Here is the context. First, the Dockerfile I'm using:

#######################################################################
# BUILDER
# Builds Toolset, SDK/PSW installer
#######################################################################
FROM ubuntu:20.04 as builder
ENV TZ=Europe/Paris
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN apt-get update -qq && apt-get install  -y -qq \
    autoconf \
    automake \
    build-essential \
    cmake \
    curl \
    debhelper \
    git \
    libcurl4-openssl-dev \
    libprotobuf-dev \
    libssl-dev \
    libtool \
    lsb-release \
    ocaml \
    ocamlbuild \
    protobuf-compiler \
    python \
    wget \
    unzip
RUN mkdir -p /opt/intel

# retrieve SDK source from repo
RUN git clone https://github.com/intel/linux-sgx.git
WORKDIR /linux-sgx

# prepare toolset
RUN make preparation
RUN ls -lisa external/toolset/ubuntu20.04
RUN cp /linux-sgx/external/toolset/ubuntu20.04/as /usr/local/bin
RUN cp /linux-sgx/external/toolset/ubuntu20.04/ld /usr/local/bin
RUN cp /linux-sgx/external/toolset/ubuntu20.04/ld.gold /usr/local/bin
RUN cp /linux-sgx/external/toolset/ubuntu20.04/objdump /usr/local/bin

# build SDK from source
RUN make sdk_install_pkg_no_mitigation

# install the SDK
WORKDIR /opt/intel
RUN sh -c 'echo yes | /linux-sgx/linux/installer/bin/sgx_linux_x64_sdk_*.bin'

# build PSW from source
WORKDIR /linux-sgx
RUN make psw_install_pkg


#######################################################################
# AESM
# Retrieves PSW installer from BUILDER, installs it and starts
# AESM service
#######################################################################
FROM ubuntu:20.04 as aesm
RUN apt-get update && apt-get install -y libcurl4 libprotobuf17 libssl1.1 make
WORKDIR /installer
COPY --from=builder /linux-sgx/linux/installer/bin/*.bin ./
RUN ./sgx_linux_x64_psw*.bin --no-start-aesm
USER aesmd
WORKDIR /opt/intel/sgxpsw/aesm/
ENV LD_LIBRARY_PATH=.
CMD ./aesm_service --no-daemon

It works really well, so far so good. Then comes the docker-compose file:

version: '3.7'

services:
  aesm:
    build:
      context: .
      dockerfile: DockerfileNew
      network: host
    image: aesm
    user: aesmd
    devices:
      - /dev/isgx
    environment:
      - http_proxy
      - https_proxy
    volumes:
      - aesmd-socket:/var/run/aesmd
    stdin_open: true
    tty: true

volumes:
  aesmd-socket:
    driver: local
    driver_opts:
      type: "tmpfs"
      device: "tmpfs"
      o: "rw"

When I run this using docker-compose -f mydockercomposefile.yaml up --remove-orphans, I immediately get a segmentation fault from the container, and nothing else.

But! Here comes the interesting part...When I use these commands, the container works fine:

docker build --target aesm \
             --build-arg https_proxy=$https_proxy \
             --build-arg http_proxy=$http_proxy \
              -t sgx_aesm -f ./DockerfileNew .

docker volume create --driver local \
                     --opt type=tmpfs \
                     --opt device=tmpfs \
                     --opt o=rw aesmd-socket

docker run --env http_proxy \
           --env https_proxy \
           --device=/dev/isgx \
           -v /dev/log:/dev/log \
           -v aesmd-socket:/var/run/aesmd \ 
           -it sgx_aesm

It really drives me crazy. Can someone help?

Not worth copy-pasting: the container spits out "Segmentation fault"and quits. — X99, Apr 07 '21 at 13:35
Does this still happen if you run `docker-compose down -v` first? — BMitch, Apr 07 '21 at 13:59

Segmentation fault when running docker-compose

0 Answers0