Skip to content

Podman Socket API exceeds file name limit when passing seccomp profile, where Docker would succeed #27710

Open
#28985
Open
Podman Socket API exceeds file name limit when passing seccomp profile, where Docker would succeed#27710
#28985
Assignees
saurabh235711
Labels
ContribfestBugs for ContribfestGood First IssueThis issue would be a good issue for a first time contributor to undertake.bugweekkind/bugCategorizes issue or PR as related to a bug.volunteers-wantedIssues good for community/volunteer contributions

Description

@StandingPadAnimations
StandingPadAnimations
opened on Dec 8, 2025

Issue Description

I'm using Podman to run Nextcloud AIO, which uses the Docker Socket API to manage containers. One of the containers it manages, Collabora, supports using a seccomp profile to reduce permissions necessary (and make it runnable in rootless). However, when Nextcloud attempts to create the container through the socket, the following error is returned:

2025-11-29T20:46:37Z Message: Could not create container nextcloud-aio-collabora: {"cause":"file name too long","message":"container create: opening seccomp profile failed: open {\n  \"defaultAction\": \"SCMP_ACT_ERRNO\",\n  \"defaultErrnoRet\": 1,\n  \"archMap\": [\n    {\n      \"architecture\": \"SCMP_ARCH_X86_64\",\n      \"subArchitectures\": [\n        \"SCMP_ARCH_X86\",\n        \"SCMP_ARCH_X32\"\n      ]\n    },\n    {\n      \"architecture\": \"SCMP_ARCH_AARCH64\",\n      \"subArchitectures\": [\n        \"SCMP_ARCH_ARM\"\n      ]\n    },\n    {\n      \"architecture\": \"SCMP_ARCH_MIPS64\",\n      \"subArchitectures\": [\n        \"SCMP_ARCH_MIPS\",\n        \"SCMP_ARCH_MIPS64N32\"\n      ]\n    },\n    {\n      \"architecture\": \"SCMP_ARCH_MIPS64N32\",\n      \"subArchitectures\": [\n        \"SCMP_ARCH_MIPS\",\n        \"SCMP_ARCH_MIPS64\"\n      ]\n    },\n    {\n      \"architecture\": \"SCMP_ARCH_MIPSEL64\",\n      \"subArchitectures\": [\n        \"SCMP_ARCH_MIPSEL\",\n        \"SCMP_ARCH_MIPSEL64N32\"\n      ]\n    },\n    {\n      \"architecture\": \"SCMP_ARCH_MIPSEL64N32\",\n      \"subArchitectures\": [\n        \"SCMP_ARCH_MIPSEL\",\n        \"SCMP_ARCH_MIPSEL64\"\n      ]\n    },\n    {\n      \"architecture\": \"SCMP_ARCH_S390X\",\n      \"subArchitectures\": [\n        \"SCMP_ARCH_S390\"\n      ]\n    },\n    {\n      \"architecture\": \"SCMP_ARCH_RISCV64\",\n      \"subArchitectures\": null\n    }\n  ],\n  \"syscalls\": [\n    {\n      \"names\": [\n        \"unshare\",\n        \"mount\",\n        \"setns\",\n        \"clone\",\n        \"chroot\",\n        \"umount2\"\n      ],\n      \"action\": \"SCMP_ACT_ALLOW\"\n    },\n    {\n      \"names\": [\n        \"accept\",\n        \"accept4\",\n        \"access\",\n        \"adjtimex\",\n        \"alarm\",\n        \"bind\",\n        \"brk\",\n        \"cachestat\",\n        \"capget\",\n        \"capset\",\n        \"chdir\",\n        \"chmod\",\n        \"chown\",\n        \"chown32\",\n        \"clock_adjtime\",\n        \"clock_adjtime64\",\n        \"clock_getres\",\n        \"clock_getres_time64\",\n        \"clock_gettime\",\n        \"clock_gettime64\",\n        \"clock_nanosleep\",\n        \"clock_nanosleep_time64\",\n        \"close\",\n        \"close_range\",\n        \"connect\",\n        \"copy_file_range\",\n        \"creat\",\n        \"dup\",\n        \"dup2\",\n        \"dup3\",\n        \"epoll_create\",\n        \"epoll_create1\",\n        \"epoll_ctl\",\n        \"epoll_ctl_old\",\n        \"epoll_pwait\",\n        \"epoll_pwait2\",\n        \"epoll_wait\",\n        \"epoll_wait_old\",\n        \"eventfd\",\n        \"eventfd2\",\n        \"execve\",\n        \"execveat\",\n        \"exit\",\n        \"exit_group\",\n        \"faccessat\",\n        \"faccessat2\",\n        \"fadvise64\",\n        \"fadvise64_64\",\n        \"fallocate\",\n        \"fanotify_mark\",\n        \"fchdir\",\n        \"fchmod\",\n        \"fchmodat\",\n        \"fchmodat2\",\n        \"fchown\",\n        \"fchown32\",\n        \"fchownat\",\n        \"fcntl\",\n        \"fcntl64\",\n        \"fdatasync\",\n        \"fgetxattr\",\n        \"flistxattr\",\n        \"flock\",\n        \"fork\",\n        \"fremovexattr\",\n        \"fsetxattr\",\n        \"fstat\",\n        \"fstat64\",\n        \"fstatat64\",\n        \"fstatfs\",\n        \"fstatfs64\",\n        \"fsync\",\n        \"ftruncate\",\n        \"ftruncate64\",\n        \"futex\",\n        \"futex_requeue\",\n        \"futex_time64\",\n        \"futex_wait\",\n        \"futex_waitv\",\n        \"futex_wake\",\n        \"futimesat\",\n        \"getcpu\",\n        \"getcwd\",\n        \"getdents\",\n        \"getdents64\",\n        \"getegid\",\n        \"getegid32\",\n        \"geteuid\",\n        \"geteuid32\",\n        \"getgid\",\n        \"getgid32\",\n        \"getgroups\",\n        \"getgroups32\",\n        \"getitimer\",\n        \"getpeername\",\n        \"getpgid\",\n        \"getpgrp\",\n        \"getpid\",\n        \"getppid\",\n        \"getpriority\",\n        \"getrandom\",\n        \"getresgid\",\n        \"getresgid32\",\n        \"getresuid\",\n        \"getresuid32\",\n        \"getrlimit\",\n        \"get_robust_list\",\n        \"getrusage\",\n        \"getsid\",\n        \"getsockname\",\n        \"getsockopt\",\n        \"get_thread_area\",\n        \"gettid\",\n        \"gettimeofday\",\n        \"getuid\",\n        \"getuid32\",\n        \"getxattr\",\n        \"inotify_add_watch\",\n        \"inotify_init\",\n        \"inotify_init1\",\n        \"inotify_rm_watch\",\n        \"io_cancel\",\n        \"ioctl\",\n        \"io_destroy\",\n        \"io_getevents\",\n        \"io_pgetevents\",\n        \"io_pgetevents_time64\",\n        \"ioprio_get\",\n        \"ioprio_set\",\n        \"io_setup\",\n        \"io_submit\",\n        \"ipc\",\n        \"kill\",\n        \"landlock_add_rule\",\n        \"landlock_create_ruleset\",\n        \"landlock_restrict_self\",\n        \"lchown\",\n        \"lchown32\",\n        \"lgetxattr\",\n        \"link\",\n        \"linkat\",\n        \"listen\",\n        \"listxattr\",\n        \"llistxattr\",\n        \"_llseek\",\n        \"lremovexattr\",\n        \"lseek\",\n        \"lsetxattr\",\n        \"lstat\",\n        \"lstat64\",\n        \"madvise\",\n        \"map_shadow_stack\",\n        \"membarrier\",\n        \"memfd_create\",\n        \"memfd_secret\",\n        \"mincore\",\n        \"mkdir\",\n        \"mkdirat\",\n        \"mknod\",\n        \"mknodat\",\n        \"mlock\",\n        \"mlock2\",\n        \"mlockall\",\n        \"mmap\",\n        \"mmap2\",\n        \"mprotect\",\n        \"mq_getsetattr\",\n        \"mq_notify\",\n        \"mq_open\",\n        \"mq_timedreceive\",\n        \"mq_timedreceive_time64\",\n        \"mq_timedsend\",\n        \"mq_timedsend_time64\",\n        \"mq_unlink\",\n        \"mremap\",\n        \"msgctl\",\n        \"msgget\",\n        \"msgrcv\",\n        \"msgsnd\",\n        \"msync\",\n        \"munlock\",\n        \"munlockall\",\n        \"munmap\",\n        \"name_to_handle_at\",\n        \"nanosleep\",\n        \"newfstatat\",\n        \"_newselect\",\n        \"open\",\n        \"openat\",\n        \"openat2\",\n        \"pause\",\n        \"pidfd_open\",\n        \"pidfd_send_signal\",\n        \"pipe\",\n        \"pipe2\",\n        \"pkey_alloc\",\n        \"pkey_free\",\n        \"pkey_mprotect\",\n        \"poll\",\n        \"ppoll\",\n        \"ppoll_time64\",\n        \"prctl\",\n        \"pread64\",\n        \"preadv\",\n        \"preadv2\",\n        \"prlimit64\",\n        \"process_mrelease\",\n        \"pselect6\",\n        \"pselect6_time64\",\n        \"pwrite64\",\n        \"pwritev\",\n        \"pwritev2\",\n        \"read\",\n        \"readahead\",\n        \"readlink\",\n        \"readlinkat\",\n        \"readv\",\n        \"recv\",\n        \"recvfrom\",\n        \"recvmmsg\",\n        \"recvmmsg_time64\",\n        \"recvmsg\",\n        \"remap_file_pages\",\n        \"removexattr\",\n        \"rename\",\n        \"renameat\",\n        \"renameat2\",\n        \"restart_syscall\",\n        \"rmdir\",\n        \"rseq\",\n        \"rt_sigaction\",\n        \"rt_sigpending\",\n        \"rt_sigprocmask\",\n        \"rt_sigqueueinfo\",\n        \"rt_sigreturn\",\n        \"rt_sigsuspend\",\n        \"rt_sigtimedwait\",\n        \"rt_sigtimedwait_time64\",\n        \"rt_tgsigqueueinfo\",\n        \"sched_getaffinity\",\n        \"sched_getattr\",\n        \"sched_getparam\",\n        \"sched_get_priority_max\",\n        \"sched_get_priority_min\",\n        \"sched_getscheduler\",\n        \"sched_rr_get_interval\",\n        \"sched_rr_get_interval_time64\",\n        \"sched_setaffinity\",\n        \"sched_setattr\",\n        \"sched_setparam\",\n        \"sched_setscheduler\",\n        \"sched_yield\",\n        \"seccomp\",\n        \"select\",\n        \"semctl\",\n        \"semget\",\n        \"semop\",\n        \"semtimedop\",\n        \"semtimedop_time64\",\n        \"send\",\n        \"sendfile\",\n        \"sendfile64\",\n     ...

This does not happen in Docker. From what upstream has stated (nextcloud/all-in-one#3487 (reply in thread)), the whole seccomp file contents are passed in the request body in the socket API, so perhaps Podman is creating some temp file and exceeding the maximum file length?

Steps to reproduce the issue

Create a container (with access to the Podman socket) that creates another container with a seccomp profile. Beyond that, I'm not sure, maybe the container itself has to have a long name?

Describe the results you received

An error when applying the seccomp profile that the file name is too long

Describe the results you expected

No error

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.7
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.10+ds1-1build2_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: unknown'
  cpuUtilization:
    idlePercent: 69.63
    systemPercent: 7.81
    userPercent: 22.57
  cpus: 4
  databaseBackend: sqlite
  distribution:
    codename: noble
    distribution: ubuntu
    version: "24.04"
  eventLogger: journald
  freeLocks: 2030
  hostname: ubuntu-8gb-hel1-3
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1009
      size: 1
    - container_id: 1
      host_id: 689824
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1009
      size: 1
    - container_id: 1
      host_id: 689824
      size: 65536
  kernel: 6.8.0-87-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 369807360
  memTotal: 8127750144
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.4.0-5_amd64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.4.0
    package: netavark_1.4.0-4_amd64
    path: /usr/lib/podman/netavark
    version: netavark 1.4.0
  ociRuntime:
    name: crun
    package: crun_1.14.1-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.1
      commit: de537a7965bfbe9992e2cfae0baeb56a08128171
      rundir: /run/user/1009/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_0.0~git20240220.1e6f92b-1_amd64
    version: |
      pasta unknown version
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1009/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.1-1build2_amd64
    version: |-
      slirp4netns version 1.2.1
      commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 320032768
  swapTotal: 2147479552
  uptime: 870h 45m 1.00s (Approximately 36.25 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/nextcloud/.config/containers/storage.conf
  containerStore:
    number: 10
    paused: 0
    running: 8
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/nextcloud/.local/share/containers/storage
  graphRootAllocated: 80307429376
  graphRootUsed: 45855158272
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 11
  runRoot: /run/user/1009/containers
  transientStore: false
  volumePath: /home/nextcloud/.local/share/containers/storage/volumes
version:
  APIVersion: 4.9.3
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.22.2
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.3

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

This is running on Ubuntu 24.04 on Hetzner cloud

Additional information

This may require long container names? I'm not exactly sure what goes on under the hood when a seccomp profile is passed

Metadata

Metadata

Assignees

Labels

ContribfestBugs for ContribfestGood First IssueThis issue would be a good issue for a first time contributor to undertake.bugweekkind/bugCategorizes issue or PR as related to a bug.volunteers-wantedIssues good for community/volunteer contributions

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions