Podman Socket API exceeds file name limit when passing seccomp profile, where Docker would succeed #27710
Description
Issue Description
I'm using Podman to run Nextcloud AIO, which uses the Docker Socket API to manage containers. One of the containers it manages, Collabora, supports using a seccomp profile to reduce permissions necessary (and make it runnable in rootless). However, when Nextcloud attempts to create the container through the socket, the following error is returned:
2025-11-29T20:46:37Z Message: Could not create container nextcloud-aio-collabora: {"cause":"file name too long","message":"container create: opening seccomp profile failed: open {\n \"defaultAction\": \"SCMP_ACT_ERRNO\",\n \"defaultErrnoRet\": 1,\n \"archMap\": [\n {\n \"architecture\": \"SCMP_ARCH_X86_64\",\n \"subArchitectures\": [\n \"SCMP_ARCH_X86\",\n \"SCMP_ARCH_X32\"\n ]\n },\n {\n \"architecture\": \"SCMP_ARCH_AARCH64\",\n \"subArchitectures\": [\n \"SCMP_ARCH_ARM\"\n ]\n },\n {\n \"architecture\": \"SCMP_ARCH_MIPS64\",\n \"subArchitectures\": [\n \"SCMP_ARCH_MIPS\",\n \"SCMP_ARCH_MIPS64N32\"\n ]\n },\n {\n \"architecture\": \"SCMP_ARCH_MIPS64N32\",\n \"subArchitectures\": [\n \"SCMP_ARCH_MIPS\",\n \"SCMP_ARCH_MIPS64\"\n ]\n },\n {\n \"architecture\": \"SCMP_ARCH_MIPSEL64\",\n \"subArchitectures\": [\n \"SCMP_ARCH_MIPSEL\",\n \"SCMP_ARCH_MIPSEL64N32\"\n ]\n },\n {\n \"architecture\": \"SCMP_ARCH_MIPSEL64N32\",\n \"subArchitectures\": [\n \"SCMP_ARCH_MIPSEL\",\n \"SCMP_ARCH_MIPSEL64\"\n ]\n },\n {\n \"architecture\": \"SCMP_ARCH_S390X\",\n \"subArchitectures\": [\n \"SCMP_ARCH_S390\"\n ]\n },\n {\n \"architecture\": \"SCMP_ARCH_RISCV64\",\n \"subArchitectures\": null\n }\n ],\n \"syscalls\": [\n {\n \"names\": [\n \"unshare\",\n \"mount\",\n \"setns\",\n \"clone\",\n \"chroot\",\n \"umount2\"\n ],\n \"action\": \"SCMP_ACT_ALLOW\"\n },\n {\n \"names\": [\n \"accept\",\n \"accept4\",\n \"access\",\n \"adjtimex\",\n \"alarm\",\n \"bind\",\n \"brk\",\n \"cachestat\",\n \"capget\",\n \"capset\",\n \"chdir\",\n \"chmod\",\n \"chown\",\n \"chown32\",\n \"clock_adjtime\",\n \"clock_adjtime64\",\n \"clock_getres\",\n \"clock_getres_time64\",\n \"clock_gettime\",\n \"clock_gettime64\",\n \"clock_nanosleep\",\n \"clock_nanosleep_time64\",\n \"close\",\n \"close_range\",\n \"connect\",\n \"copy_file_range\",\n \"creat\",\n \"dup\",\n \"dup2\",\n \"dup3\",\n \"epoll_create\",\n \"epoll_create1\",\n \"epoll_ctl\",\n \"epoll_ctl_old\",\n \"epoll_pwait\",\n \"epoll_pwait2\",\n \"epoll_wait\",\n \"epoll_wait_old\",\n \"eventfd\",\n \"eventfd2\",\n \"execve\",\n \"execveat\",\n \"exit\",\n \"exit_group\",\n \"faccessat\",\n \"faccessat2\",\n \"fadvise64\",\n \"fadvise64_64\",\n \"fallocate\",\n \"fanotify_mark\",\n \"fchdir\",\n \"fchmod\",\n \"fchmodat\",\n \"fchmodat2\",\n \"fchown\",\n \"fchown32\",\n \"fchownat\",\n \"fcntl\",\n \"fcntl64\",\n \"fdatasync\",\n \"fgetxattr\",\n \"flistxattr\",\n \"flock\",\n \"fork\",\n \"fremovexattr\",\n \"fsetxattr\",\n \"fstat\",\n \"fstat64\",\n \"fstatat64\",\n \"fstatfs\",\n \"fstatfs64\",\n \"fsync\",\n \"ftruncate\",\n \"ftruncate64\",\n \"futex\",\n \"futex_requeue\",\n \"futex_time64\",\n \"futex_wait\",\n \"futex_waitv\",\n \"futex_wake\",\n \"futimesat\",\n \"getcpu\",\n \"getcwd\",\n \"getdents\",\n \"getdents64\",\n \"getegid\",\n \"getegid32\",\n \"geteuid\",\n \"geteuid32\",\n \"getgid\",\n \"getgid32\",\n \"getgroups\",\n \"getgroups32\",\n \"getitimer\",\n \"getpeername\",\n \"getpgid\",\n \"getpgrp\",\n \"getpid\",\n \"getppid\",\n \"getpriority\",\n \"getrandom\",\n \"getresgid\",\n \"getresgid32\",\n \"getresuid\",\n \"getresuid32\",\n \"getrlimit\",\n \"get_robust_list\",\n \"getrusage\",\n \"getsid\",\n \"getsockname\",\n \"getsockopt\",\n \"get_thread_area\",\n \"gettid\",\n \"gettimeofday\",\n \"getuid\",\n \"getuid32\",\n \"getxattr\",\n \"inotify_add_watch\",\n \"inotify_init\",\n \"inotify_init1\",\n \"inotify_rm_watch\",\n \"io_cancel\",\n \"ioctl\",\n \"io_destroy\",\n \"io_getevents\",\n \"io_pgetevents\",\n \"io_pgetevents_time64\",\n \"ioprio_get\",\n \"ioprio_set\",\n \"io_setup\",\n \"io_submit\",\n \"ipc\",\n \"kill\",\n \"landlock_add_rule\",\n \"landlock_create_ruleset\",\n \"landlock_restrict_self\",\n \"lchown\",\n \"lchown32\",\n \"lgetxattr\",\n \"link\",\n \"linkat\",\n \"listen\",\n \"listxattr\",\n \"llistxattr\",\n \"_llseek\",\n \"lremovexattr\",\n \"lseek\",\n \"lsetxattr\",\n \"lstat\",\n \"lstat64\",\n \"madvise\",\n \"map_shadow_stack\",\n \"membarrier\",\n \"memfd_create\",\n \"memfd_secret\",\n \"mincore\",\n \"mkdir\",\n \"mkdirat\",\n \"mknod\",\n \"mknodat\",\n \"mlock\",\n \"mlock2\",\n \"mlockall\",\n \"mmap\",\n \"mmap2\",\n \"mprotect\",\n \"mq_getsetattr\",\n \"mq_notify\",\n \"mq_open\",\n \"mq_timedreceive\",\n \"mq_timedreceive_time64\",\n \"mq_timedsend\",\n \"mq_timedsend_time64\",\n \"mq_unlink\",\n \"mremap\",\n \"msgctl\",\n \"msgget\",\n \"msgrcv\",\n \"msgsnd\",\n \"msync\",\n \"munlock\",\n \"munlockall\",\n \"munmap\",\n \"name_to_handle_at\",\n \"nanosleep\",\n \"newfstatat\",\n \"_newselect\",\n \"open\",\n \"openat\",\n \"openat2\",\n \"pause\",\n \"pidfd_open\",\n \"pidfd_send_signal\",\n \"pipe\",\n \"pipe2\",\n \"pkey_alloc\",\n \"pkey_free\",\n \"pkey_mprotect\",\n \"poll\",\n \"ppoll\",\n \"ppoll_time64\",\n \"prctl\",\n \"pread64\",\n \"preadv\",\n \"preadv2\",\n \"prlimit64\",\n \"process_mrelease\",\n \"pselect6\",\n \"pselect6_time64\",\n \"pwrite64\",\n \"pwritev\",\n \"pwritev2\",\n \"read\",\n \"readahead\",\n \"readlink\",\n \"readlinkat\",\n \"readv\",\n \"recv\",\n \"recvfrom\",\n \"recvmmsg\",\n \"recvmmsg_time64\",\n \"recvmsg\",\n \"remap_file_pages\",\n \"removexattr\",\n \"rename\",\n \"renameat\",\n \"renameat2\",\n \"restart_syscall\",\n \"rmdir\",\n \"rseq\",\n \"rt_sigaction\",\n \"rt_sigpending\",\n \"rt_sigprocmask\",\n \"rt_sigqueueinfo\",\n \"rt_sigreturn\",\n \"rt_sigsuspend\",\n \"rt_sigtimedwait\",\n \"rt_sigtimedwait_time64\",\n \"rt_tgsigqueueinfo\",\n \"sched_getaffinity\",\n \"sched_getattr\",\n \"sched_getparam\",\n \"sched_get_priority_max\",\n \"sched_get_priority_min\",\n \"sched_getscheduler\",\n \"sched_rr_get_interval\",\n \"sched_rr_get_interval_time64\",\n \"sched_setaffinity\",\n \"sched_setattr\",\n \"sched_setparam\",\n \"sched_setscheduler\",\n \"sched_yield\",\n \"seccomp\",\n \"select\",\n \"semctl\",\n \"semget\",\n \"semop\",\n \"semtimedop\",\n \"semtimedop_time64\",\n \"send\",\n \"sendfile\",\n \"sendfile64\",\n ...
This does not happen in Docker. From what upstream has stated (nextcloud/all-in-one#3487 (reply in thread)), the whole seccomp file contents are passed in the request body in the socket API, so perhaps Podman is creating some temp file and exceeding the maximum file length?
Steps to reproduce the issue
Create a container (with access to the Podman socket) that creates another container with a seccomp profile. Beyond that, I'm not sure, maybe the container itself has to have a long name?
Describe the results you received
An error when applying the seccomp profile that the file name is too long
Describe the results you expected
No error
podman info output
host:
arch: amd64
buildahVersion: 1.33.7
cgroupControllers:
- cpu
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon_2.1.10+ds1-1build2_amd64
path: /usr/bin/conmon
version: 'conmon version 2.1.10, commit: unknown'
cpuUtilization:
idlePercent: 69.63
systemPercent: 7.81
userPercent: 22.57
cpus: 4
databaseBackend: sqlite
distribution:
codename: noble
distribution: ubuntu
version: "24.04"
eventLogger: journald
freeLocks: 2030
hostname: ubuntu-8gb-hel1-3
idMappings:
gidmap:
- container_id: 0
host_id: 1009
size: 1
- container_id: 1
host_id: 689824
size: 65536
uidmap:
- container_id: 0
host_id: 1009
size: 1
- container_id: 1
host_id: 689824
size: 65536
kernel: 6.8.0-87-generic
linkmode: dynamic
logDriver: journald
memFree: 369807360
memTotal: 8127750144
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns_1.4.0-5_amd64
path: /usr/lib/podman/aardvark-dns
version: aardvark-dns 1.4.0
package: netavark_1.4.0-4_amd64
path: /usr/lib/podman/netavark
version: netavark 1.4.0
ociRuntime:
name: crun
package: crun_1.14.1-1_amd64
path: /usr/bin/crun
version: |-
crun version 1.14.1
commit: de537a7965bfbe9992e2cfae0baeb56a08128171
rundir: /run/user/1009/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt_0.0~git20240220.1e6f92b-1_amd64
version: |
pasta unknown version
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1009/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns_1.2.1-1build2_amd64
version: |-
slirp4netns version 1.2.1
commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.5
swapFree: 320032768
swapTotal: 2147479552
uptime: 870h 45m 1.00s (Approximately 36.25 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries: {}
store:
configFile: /home/nextcloud/.config/containers/storage.conf
containerStore:
number: 10
paused: 0
running: 8
stopped: 2
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/nextcloud/.local/share/containers/storage
graphRootAllocated: 80307429376
graphRootUsed: 45855158272
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 11
runRoot: /run/user/1009/containers
transientStore: false
volumePath: /home/nextcloud/.local/share/containers/storage/volumes
version:
APIVersion: 4.9.3
Built: 0
BuiltTime: Thu Jan 1 00:00:00 1970
GitCommit: ""
GoVersion: go1.22.2
Os: linux
OsArch: linux/amd64
Version: 4.9.3Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
This is running on Ubuntu 24.04 on Hetzner cloud
Additional information
This may require long container names? I'm not exactly sure what goes on under the hood when a seccomp profile is passed