Windrose broken after AMP 2.7.2.2 + Docker update — possible AF_ALG / seccomp issue?
OS Name/Version: Debian 12 (Bookworm), x86_64
Product Name/Version: AMP 2.7.2.2 Deimos, built 29/04/2026 19:49
Problem Description:
After updating to AMP 2.7.2.2 my Windrose Docker instance stopped working. Existing instance fails on start, and a fresh instance also fails during update.
Existing instance error:
Starting AMP version 2.7.2.2 (Deimos), built 29/04/2026 19:49
Running in a Docker environment.
Loaded GenericModule version 2.7.2.2
Loaded steamcmdplugin
Starting the application.
Merging config file ./windrose/4129620/R5/ServerDescription.json
wine: socket : Function not implemented
Slow response: Core.Start took 30077ms to complete.
Fresh instance error during update:
Fatal Error: Steamcmd needs to be online to update.
Please confirm your network connection and try again.
Note: manual SteamCMD works fine from the same instance outside of AMP’s start/update path:
/home/amp/.ampdata/instances/Windrose01/windrose/steamcmd.sh +login anonymous +quit
Loading Steam API...OK
Connecting anonymously to Steam Public...OK
Waiting for client config...OK
Waiting for user info...OK
Unloading Steam API...OK
Steps to reproduce:
- Update AMP to 2.7.2.2 Deimos on a host running Docker 29.4.2
- Start an existing Windrose Docker instance
- Observe
wine: socket : Function not implementedand instance fails to start
Actions taken to resolve so far:
- Tried switching between Wine 9, Wine 10, and Wine 11 ampbase images — same error on all
- Tried creating a fresh Windrose instance — fails during update with SteamCMD network error
- Confirmed manual SteamCMD works fine as the amp user outside of AMP
- Tested socket behaviour inside the container:
AF_INET TCP — OK
AF_UNIX — OK
AF_ALG — FAILED: [Errno 1] Operation not permitted
- Tested same AF_ALG socket with
--security-opt seccomp=unconfined— succeeds:
AF_ALG OK with unconfined
This suggests Docker’s seccomp profile is blocking AF_ALG (kernel crypto socket, family 38) inside AMP-managed containers, and Wine is hitting that block on startup.
Docker security options on the container:
SecurityOpt=null CapAdd=null Privileged=false NetworkMode=host
Docker daemon seccomp info:
[name=apparmor name=seccomp,profile=builtin name=cgroupns]
No custom seccomp profile is in use — Docker is using its compiled-in builtin profile. Docker 29.4.2 was also updated around the same time as AMP 2.7.2.2, so this may be a collision between Docker tightening its builtin seccomp profile around AF_ALG and Wine in the ampbase image now calling AF_ALG on startup.
I’m not certain whether the root cause is on the Docker side, the ampbase Wine image side, or something changed in AMP 2.7.2.2 itself — flagging here in case others are hitting the same thing.
Is there a way to pass custom Docker security options (e.g. --security-opt) to AMP-managed containers on a per-instance basis as a workaround? And is this something being looked at on the ampbase image side?
Happy to provide any additional output or logs.
—————————————-EDIT & FIX————————————
Docker 29.4.2 SteamCMD / AMP CreateBoundSocket Fix
Disclaimer: I am not responsible if this breaks your server, Docker setup, AMP install, containers, game saves, network config, or anything else. This is just what fixed the issue on my Debian 12 AMP host. Read the commands first, make backups, and use at your own risk.
Problem
After updating Docker to 29.4.2, SteamCMD inside CubeCoders AMP Docker containers started failing with errors like:
CreateBoundSocket: failed to create socket, error [no name available] (38)
In AMP, this caused SteamCMD updates/installs to fail. Example affected flow:
Loading Steam API...CreateBoundSocket: failed to create socket, error [no name available] (38)
OK
force_install_dir "4129620"
Connecting anonymously to Steam Public...Retrying...
CreateBoundSocket: failed to create socket, error [no name available] (38)
Retrying...
This happened with AMP installed system-wide, but game instances running inside Docker containers such as:
AMP_Windrose01 cubecoders/ampbase:wine-9-stable
Host / Environment
This was tested on:
Debian 12
Docker Engine 29.4.2
CubeCoders AMP
AMP game instance using cubecoders/ampbase:wine-9-stable
Kernel: 6.1.0-44-amd64
Before the fix, Docker showed the default built-in seccomp profile:
docker info | grep -A5 "Security Options"
Output:
Security Options:
apparmor
seccomp
Profile: builtin
What fixed it
The workaround was to use a custom Docker seccomp profile based on Docker/Moby’s default profile, but with two targeted changes:
- Allow
AF_ALGsockets. - Allow the old 32-bit
socketcallsyscall path.
This keeps seccomp enabled. It is not the same as running containers with:
seccomp=unconfined
After the fix, Docker showed:
Security Options:
apparmor
seccomp
Profile: /etc/docker/seccomp/default-plus-afalg.json
cgroupns
Docker also prints this warning:
WARNING: daemon is not using the default seccomp profile
That warning is expected because a custom profile is being used.
Step 1 — Back up existing Docker daemon config
sudo mkdir -p /root/docker-seccomp-backup
sudo cp -a /etc/docker/daemon.json \
/root/docker-seccomp-backup/daemon.json.backup.$(date +%F-%H%M%S) \
2>/dev/null || true
Step 2 — Create seccomp profile directory
sudo mkdir -p /etc/docker/seccomp
Step 3 — Download Docker/Moby default seccomp profile
sudo curl -fsSL \
https://raw.githubusercontent.com/moby/profiles/main/seccomp/default.json \
-o /etc/docker/seccomp/default-plus-afalg.json
Verify it downloaded:
ls -lh /etc/docker/seccomp/default-plus-afalg.json
Step 4 — Add AF_ALG socket allow rule
AF_ALG is socket family number 38.
sudo python3 - <<'PY'
import json
from pathlib import Path
path = Path("/etc/docker/seccomp/default-plus-afalg.json")
with path.open("r") as f:
profile = json.load(f)
rule = {
"names": ["socket"],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 38,
"op": "SCMP_CMP_EQ"
}
]
}
syscalls = profile["syscalls"]
already = False
for entry in syscalls:
if entry.get("names") == ["socket"] and entry.get("action") == "SCMP_ACT_ALLOW":
for arg in entry.get("args", []):
if arg.get("index") == 0 and arg.get("value") == 38 and arg.get("op") == "SCMP_CMP_EQ":
already = True
if not already:
insert_at = 0
for i, entry in enumerate(syscalls):
if entry.get("names") == ["socket"]:
insert_at = i
break
syscalls.insert(insert_at, rule)
with path.open("w") as f:
json.dump(profile, f, indent=2)
print("Done. AF_ALG socket allow rule is present.")
PY
Validate JSON:
python3 -m json.tool /etc/docker/seccomp/default-plus-afalg.json >/dev/null && echo "JSON OK"
Expected:
JSON OK
Step 5 — Allow old 32-bit socketcall
This was the missing part for the AMP/Wine/SteamCMD container in my case.
SteamCMD was still failing even after AF_ALG tested OK inside the container. The reason appears to be that some older/32-bit SteamCMD/Wine code paths can still hit socketcall, and Docker’s seccomp profile was returning errno 38.
Back up the profile first:
sudo cp -a /etc/docker/seccomp/default-plus-afalg.json \
/root/docker-seccomp-backup/default-plus-afalg.before-socketcall.$(date +%F-%H%M%S).json
Patch the socketcall rule:
sudo python3 - <<'PY'
import json
from pathlib import Path
path = Path("/etc/docker/seccomp/default-plus-afalg.json")
with path.open("r") as f:
profile = json.load(f)
changed = False
for entry in profile["syscalls"]:
if entry.get("names") == ["socketcall"]:
entry["action"] = "SCMP_ACT_ALLOW"
entry.pop("errnoRet", None)
entry["includes"] = {"arches": ["x86"]}
changed = True
if not changed:
profile["syscalls"].insert(0, {
"names": ["socketcall"],
"action": "SCMP_ACT_ALLOW",
"includes": {"arches": ["x86"]}
})
with path.open("w") as f:
json.dump(profile, f, indent=2)
print("Done. socketcall is now allowed for 32-bit x86 processes.")
PY
Validate JSON again:
python3 -m json.tool /etc/docker/seccomp/default-plus-afalg.json >/dev/null && echo "JSON OK"
Step 6 — Configure Docker to use the custom profile
This edits /etc/docker/daemon.json without wiping other existing settings.
sudo python3 - <<'PY'
import json
from pathlib import Path
path = Path("/etc/docker/daemon.json")
if path.exists() and path.stat().st_size > 0:
with path.open("r") as f:
data = json.load(f)
else:
data = {}
data["seccomp-profile"] = "/etc/docker/seccomp/default-plus-afalg.json"
with path.open("w") as f:
json.dump(data, f, indent=2)
print(json.dumps(data, indent=2))
PY
Validate Docker daemon config JSON:
python3 -m json.tool /etc/docker/daemon.json
Expected to contain:
{
"seccomp-profile": "/etc/docker/seccomp/default-plus-afalg.json"
}
If your daemon config already had other settings, those should still be present too.
Step 7 — Restart Docker
Stop AMP/game instances first if possible.
sudo systemctl restart docker
Check Docker came back:
sudo systemctl status docker --no-pager
Confirm the custom seccomp profile is loaded:
docker info | grep -A5 "Security Options"
Expected:
Security Options:
apparmor
seccomp
Profile: /etc/docker/seccomp/default-plus-afalg.json
cgroupns
Again, this warning is expected:
WARNING: daemon is not using the default seccomp profile
Step 8 — Recreate the affected AMP game container
This part mattered.
Existing AMP containers may not pick up the changed Docker seccomp profile until the container wrapper is recreated.
List containers:
docker ps -a --format 'table {{.ID}}\t{{.Names}}\t{{.Image}}\t{{.Status}}'
Example:
CONTAINER ID NAMES IMAGE STATUS
aff398977831 AMP_Windrose01 cubecoders/ampbase:wine-9-stable Up 12 seconds
Stop the affected instance in AMP first.
Then remove only the Docker container wrapper:
docker rm AMP_Windrose01
Replace AMP_Windrose01 with your actual AMP container name.
Do not delete the AMP instance itself.
Start the instance again from AMP. AMP should recreate the container using the new Docker daemon seccomp profile.
Step 9 — Verify seccomp and AF_ALG inside the AMP container
Check seccomp is still enabled:
docker exec AMP_Windrose01 grep Seccomp /proc/self/status
Expected:
Seccomp: 2
Seccomp_filters: 1
Check AF_ALG socket creation:
docker exec -i AMP_Windrose01 python3 - <<'PY'
import socket
try:
s = socket.socket(38, socket.SOCK_SEQPACKET, 0)
print("AF_ALG socket OK")
s.close()
except Exception as e:
print("AF_ALG socket FAILED:", repr(e))
PY
Expected:
AF_ALG socket OK
Check Docker is using the custom profile:
docker info | grep -A5 "Security Options"
Expected:
Security Options:
apparmor
seccomp
Profile: /etc/docker/seccomp/default-plus-afalg.json
cgroupns
Result after fix
After applying the profile and recreating the AMP container, SteamCMD worked again.
Successful AMP update log:
Loading Steam API...OK
force_install_dir "4129620"
Connecting anonymously to Steam Public...OK
Waiting for client config...OK
Waiting for user info...OK
@sSteamCmdForcePlatformType windows
"@sSteamCmdForcePlatformType" = "windows"
app_update 4129620 validate
Update state (0x5) verifying install, progress: 48.09 (1462470440 / 3041100240)
Update state (0x5) verifying install, progress: 96.87 (2945959199 / 3041100240)
Update state (0x0) unknown, progress: 0.00 (0 / 0)
Success! App '4129620' fully installed.
quit
Unloading Steam API...OK
It also successfully installed Steam app 1007:
app_update 1007 validate
Success! App '1007' fully installed.
Rollback / Undo
If Docker releases a fixed version and you want to go back to Docker’s built-in seccomp profile, remove the custom profile entry from /etc/docker/daemon.json.
sudo python3 - <<'PY'
import json
from pathlib import Path
path = Path("/etc/docker/daemon.json")
if not path.exists():
raise SystemExit("No /etc/docker/daemon.json exists.")
with path.open("r") as f:
data = json.load(f)
data.pop("seccomp-profile", None)
with path.open("w") as f:
json.dump(data, f, indent=2)
print(json.dumps(data, indent=2))
PY
Validate JSON:
python3 -m json.tool /etc/docker/daemon.json
Restart Docker:
sudo systemctl restart docker
Confirm Docker is back to the built-in profile:
docker info | grep -A5 "Security Options"
Expected:
Security Options:
apparmor
seccomp
Profile: builtin
You may also need to recreate any AMP containers again after reverting so they pick up the built-in profile.
Notes
- This is safer than
seccomp=unconfinedbecause seccomp remains enabled. - The custom profile is based on Docker/Moby’s default profile.
- The two important changes were:
- Allow
AF_ALGsocket family38. - Allow
socketcallfor 32-bit x86 processes.
- Allow
- This fixed SteamCMD inside
cubecoders/ampbase:wine-9-stablefor me. - Existing containers may need to be recreated after changing Docker’s daemon-level seccomp profile.