
Alpine 3.14.0 - make: /bin/sh: Operation not permitted

"make" reports "/bin/sh: Operation not permitted".

To reproduce ...

$ docker run -ti --rm alpine:3.14.0
/ # cd
~ # apk add make
(1/1) Installing make (4.3-r0)
Executing busybox-1.33.1-r2.trigger
OK: 6 MiB in 15 packages
~ # echo -e "one:\n\tdate > one" > Makefile
~ # cat Makefile 
	date > one
~ # make
date > one
make: /bin/sh: Operation not permitted
make: *** [Makefile:2: one] Error 127
~ # 

This works with alpine 3.13.4 ...

$ docker run -ti --rm alpine:3.13.4
/ # cd
~ # apk add make
(1/1) Installing make (4.3-r0)
Executing busybox-1.32.1-r5.trigger
OK: 6 MiB in 15 packages
~ # echo -e "one:\n\tdate > one" > Makefile
~ # cat Makefile 
	date > one
~ # make
date > one
~ # 

As per Alpine 3.14.0 Release Notes,
the easiest way to fix this is to upgrade Docker to version 20.10.0 or later.

Looks like this was introduced in the last 15 days. The builds from 3 months ago seem to work

I encountered the same error as you when compiling nginx.

Then I switched to version alpine:3.12 、alpine:3.13,Found that both are OK!

RUN  \
                addgroup  -S www  &&  adduser www  -D -S -s /bin/sh -G www  \
                && wget -P /home/soft  \
                && wget -P /home/soft   \
                && wget -P /home/soft    \
                &&  cd /home/soft  && tar -zxf nginx-1.21.1.tar.gz  &&  tar  -zxf  v0.1.18.tar.gz   && tar  -zxf  pcre-8.44.tar.gz  \
                &&  cd /home/soft/nginx-1.21.1  \
                &&  ./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module  --with-http_v2_module --with-http_gzip_static_module --with-stream --with-http_sub_module  --with-pcre=/home/soft/pcre-8.44   --add-module=/home/soft/nginx-module-vts-0.1.18  \
                &&  make && make install  \

The error is as follows:

make -f objs/Makefile
make: make: Operation not permitted
make: *** [Makefile:10: build] Error 127

Confirming that this is failing.

Docker 20.10.5
Compose 1.28.5


Related: docker-library/golang#378

Now for the fun part.

Docker 20.10.6 and 20.10.7 both work.

As release notes said update of docker required

Sure, but it also says:

Docker 20.10.0 (which contains moby commit a181391) or greater

Which is incorrect. Docker 20.10.5 is incompatible.

you cannot stop reading nine words in. AND is the very next word, in all caps. for those unfortunately living with dyslexia, i have now set the already all-caps AND in additional bold and italic font.

Suggest toning down the antagonism and the use of medical conditions as slurs @Hello71.

Looks like I failed to add I'm using the Docker for Mac solution. Ergo any attempt to validate the libseccomp version and compatibility of the host is destined for failure as far as I can tell for non-linux solutions. As point two notes, the existence of Docker for Mac or Windows as a solution is known, so surely there's a reasonable expectation that the version of Docker Desktop recommended would have been validated.

Cheers for the contribution to the release notes.

Suggest toning down the antagonism and the use of medical conditions as slurs @Hello71.

it is not i who started any "antagonism".

Docker 20.10.0 (which contains moby commit a181391) or greater

Which is incorrect. Docker 20.10.5 is incompatible.

i generously assumed that you accidentally misread the documentation instead of gratuitously insulting the release notes that i spent several hours writing and revising to be comprehensive and clear.

i suggest you spend 2.5 minutes (244 words times 100 wpm for "remedial students" on advanced material) reading it; in all likelihood, that is less time than you've spent cherry-picking fragments of it and unnecessarily downgrading and upgrading Docker.

with that in mind, you have apparently still not read the release notes, since you say:

As point two notes, the existence of Docker for Mac or Windows as a solution is known, so surely there's a reasonable expectation that the version of Docker Desktop recommended would have been validated.

it was validated; stop insulting my work. the Alpine Linux 3.14 release notes say:

if using Docker Desktop for Windows or Mac, this is part of Docker Desktop 3.3.0

when using Docker Desktop, you cannot cite only the Docker Engine version number. you also cannot stop reading fourteen words in and shrug "well i'm using docker desktop so wHy iSNt iT WorKInG". as explained in both the Alpine and Docker Desktop release notes, newer versions of Docker Desktop contain newer Docker Engine, but also newer runc:

Docker Desktop 3.2.1: Docker Engine 20.10.5
Docker Desktop 3.3.0: runc v1.0.0-rc93
Docker Desktop 3.3.2: Docker Engine 20.10.6

and here, we return to the Alpine Linux 3.14 release notes, which says that Docker Desktop 3.3.0 contains runc v1.0.0-rc93, which satisfies the faccessat2 requirement for Alpine Linux 3.14.

this was already pointed out to you at docker-library/golang#378 (quote in full, emphasis added):

Yep, as noted in docker-library/php#1177, this is something related to the containerization combined with newer musl. If you're not on the latest release of Docker, libseccomp, and runc, I'd suggest starting with an update to all of those.

if, after fully reading the Alpine release notes, anybody is still experiencing this issue, please post:

  1. docker version (not docker --version) and docker info. if you don't have access to the Docker host, then your provider name and relevant information (e.g. advertised VM configuration).
  2. if you are using Docker Desktop, then the Docker Desktop version
  3. full docker invocation, input (e.g. Dockerfile or stdin), and output

to avoid cluttering the issue, please use <details> element for big output, e.g.

i appreciate any information that can help improve the usability and reliability of Alpine Linux, and am willing to assist (for free!) in resolving issues. i do not appreciate wasting volunteer support time and propagating misinformation instead of spending two minutes to properly read the documentation. if you don't want to read the documentation, that's fine (although your loss), but don't subsequently go around complaining that nothing works properly and you have no idea why.

@Hello71 I run into this problem too. Here is my configuration to reproduce the issue.

As far as I can tell, my system meets the minimum requirements mentioned in the Alpine 3.14 release notes.

  1. Docker version >= 20.10.0
  2. runc >= 1.0.0-rc93
  3. libseccomp >= 2.4.4

The command scmp_sys_resolver faccessat2 returns 439 both on the host and within the container.

Docker version:
docker version
Client: Docker Engine - Community
 Version:           20.10.8
 API version:       1.41
 Go version:        go1.16.6
 Git commit:        3967b7d
 Built:             Fri Jul 30 19:54:27 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
  Version:          20.10.8
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.6
  Git commit:       75249d8
  Built:            Fri Jul 30 19:52:33 2021
  OS/Arch:          linux/amd64
  Experimental:     true
  Version:          1.4.9
  GitCommit:        e25210fe30a0a703442421b0f60afac609f950a3
  Version:          1.0.1
  GitCommit:        v1.0.1-0-g4144b63
  Version:          0.19.0
  GitCommit:        de40ad0
Docker info:
docker info
 Context:    default
 Debug Mode: false
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.6.1-docker)
  scan: Docker Scan (Docker Inc., v0.8.0)

 Containers: 72
  Running: 3
  Paused: 0
  Stopped: 69
 Images: 226
 Server Version: 20.10.8
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: e25210fe30a0a703442421b0f60afac609f950a3
 runc version: v1.0.1-0-g4144b63
 init version: de40ad0
 Security Options:
   Profile: default
 Kernel Version: 5.11.0-27-generic
 Operating System: Ubuntu 20.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 31.25GiB
 Name: pc
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: true
 Insecure Registries:
 Live Restore Enabled: false
FROM php:8.0.10-fpm-alpine3.14

RUN set -ex \
    && apk update \
    && apk add --no-cache --update $PHPIZE_DEPS imagemagick libgomp imagemagick-dev \
    && pecl install imagick-3.5.1 \
    && docker-php-ext-enable imagick
Docker build output:


#5 19.03 make: /bin/sh: Operation not permitted
#5 19.03 make: *** [Makefile:209: imagick_file.lo] Error 127
#5 19.05 ERROR: `make' failed
error: failed to solve: executor failed running [/bin/sh -c set -ex     && apk update     && apk add --no-cache --update $PHPIZE_DEPS imagemagick libgomp imagemagick-dev     && pecl install imagick-3.5.1     && 
docker-php-ext-enable imagick]: buildkit-runc did not terminate successfully

@mmachatschek thank you for providing the information. you're not using any sort of nested Docker/dind? it also seems that you've enabled buildkit somewhere. can you try overriding it with DOCKER_BUILDKIT=0 docker build -f Dockerfile .?

@Hello71 Executing docker build without buildkit didn't work for me so I reinstalled docker.
After reinstalling I was able to execute docker build issues.

Before reinstalling I turned of the experimental mode with the same result.

Now I installed docker with rootless mode and it started working with the 3.14 alpine release. The difference in the docker info output is that the apparmour security option is gone (I don't know if apparmour is not installed with rootless mode).

docker info output:
 Context:    default                                                                                                                                                                                               
 Debug Mode: false
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.6.1-docker)
  scan: Docker Scan (Docker Inc., v0.8.0)
 Containers: 0              
  Running: 0     
  Paused: 0               
  Stopped: 0        
 Images: 4        
 Server Version: 20.10.8
 Storage Driver: overlay2
  Backing Filesystem: extfs                       
  Supports d_type: true                                                                                  
  Native Overlay Diff: false
  userxattr: true                                                                                        
 Logging Driver: json-file
 Cgroup Driver: none     
 Cgroup Version: 1                                                                                       
  Volume: local       
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive   
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc            
 Init Binary: docker-init            
 containerd version: e25210fe30a0a703442421b0f60afac609f950a3
 runc version: v1.0.1-0-g4144b63
 init version: de40ad0
 Security Options:     
   Profile: default                                                                                      
 Kernel Version: 5.11.0-27-generic
 Operating System: Ubuntu 20.04.3 LTS 
 OSType: linux
 Architecture: x86_64
 CPUs: 6             
 Total Memory: 31.25GiB
 Name: pc        
 Docker Root Dir: /home/owner/.local/share/docker                                                                                                                                                                 
 Debug Mode: false                                                                                                                                                                                                 
 Experimental: false
 Insecure Registries:
 Live Restore Enabled: false
ncopa commented

I wonder if it would make more sense to ask docker community for help fixing this. The bug is in docker and libseccomp and is triggered by any use of faccess2(2) regardless of distro.

I suggest that we close this issue unless there are any specific ideas what we can do to fix it on the Alpine side.

Just on the off chance, someone has a similar situation like me: I also experienced this issue, when Docker (on linux) was latest version, and libseccomp and scmp_sys_resolver faccessat2 returned 439. In my case the issue was that I had a rogue very old runc in /usr/local/bin that was used instead of the correct one in /usr/bin. Once I deleted it, it started working.

On this note, the instructions on that wiki seem inaccurate, it's not "at least one of the following". runc had to be the correct version to work. Even with the up-to-date docker it failed with an older runc.

I use Alpine with version 3.15.4,also met this problem。But when I use docker desktop which docker version is 20.10.14,this problem is not reproduced。so,you can try this method。

Okay folks, Docker 24.0.2, runc 1.1.7, libseccomp 2.5.4 ... so this should pass, right?

Alpine images: 3.17, 3.18

Except, it doesn't: doas throws up with "doas: Operation not permitted". And yes, the syscall is there. How to deal with this?