jLuger.de - Another fix for libseccomp2 and Alpine 3.13 on Raspberry OS 10

Since some months the latest alpine docker image won't have network access on my raspberry pi. It turned out that it isn't a network problem but more a time problem. See https://gitlab.alpinelinux.org/alpine/aports/-/issues/12091. Fortunately the release notes contain a workaround. See https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.13.0. In short the solution is to download the default seccomp profile, modify it and provide it as an argument to the run command. Unfortunately the build command won't take a seccomp profile as an argument. Someone provided a solution for this but it requires importing packages from testing into stable which I didn't like. So here is another fix for this.

The big picture is to use docker in docker to get newer user space tools. Please note that docker in docker requires privileged containers which have a lot of security disabled. So don't do anything in a privileged container you wouldn't do as root on your raspberry pi directly.

First I started a registry to get the build image out of the container:
docker run -d -p --name registry registry
Please note the "-p". This makes the port 5000 only accessible from the raspberry pi and not everyone on the same network.

To start the container:
docker run -ti --security-opt seccomp=default.json --privileged=true -v /home/pi/workdir:/workdir --network="host" alpine sh
The " --security-opt seccomp=default.json" argument provides the changed seccomp profile. "--privileged=true"" is required for docker in docker and creates the privileged container. "--network="host"" is needed that the container can access ports on on the raspberry pi.

Then add docker in the container:
apk add docker

Start the container in the background:
dockerd > /root/docker.log 2> /root/docker.err &

Build the image (this is up to you, so no code here).

Move the generated image to the registry:
docker image tag my_image
docker push

On the raspberry pi:
docker pull
docker image tag my_image:latest

Now you can stop the registry container.