kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #75774
[Bug 1357588] [NEW] 3.13.0-24 broke nested unprivileged LXC
Public bug reported:
The recent security update kernel broke nested unprivileged LXC containers as those attempt to do the following:
access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
The user visible error looks like:
lxc-start: Operation not permitted - failed to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'
lxc-start 1408142401.327 DEBUG lxc_conf - remounting /dev/console on /usr/lib/x86_64-linux-gnu/lxc/dev/console to respect bind or remount options
lxc-start 1408142401.327 ERROR lxc_conf - Operation not permitted - failed to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'
Followed by a complete failure to start the container.
access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULaccess("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
L) = -1 EPERM (Operation not permitted)
As far as I can tell, LXC isn't doing anything particularly wrong there
and this should succeed. Serge suggested we attempt to pass MS_NODEV to
the remount call but that didn't help either.
There are good chances the following upstream patch fixes this:
http://lkml.org/lkml/2014/8/13/746
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Incomplete
** Tags: bot-stop-nagging regression-update
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1357588
Title:
3.13.0-24 broke nested unprivileged LXC
Status in “linux” package in Ubuntu:
Incomplete
Bug description:
The recent security update kernel broke nested unprivileged LXC containers as those attempt to do the following:
access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
The user visible error looks like:
lxc-start: Operation not permitted - failed to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'
lxc-start 1408142401.327 DEBUG lxc_conf - remounting /dev/console on /usr/lib/x86_64-linux-gnu/lxc/dev/console to respect bind or remount options
lxc-start 1408142401.327 ERROR lxc_conf - Operation not permitted - failed to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'
Followed by a complete failure to start the container.
access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULaccess("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
L) = -1 EPERM (Operation not permitted)
As far as I can tell, LXC isn't doing anything particularly wrong
there and this should succeed. Serge suggested we attempt to pass
MS_NODEV to the remount call but that didn't help either.
There are good chances the following upstream patch fixes this:
http://lkml.org/lkml/2014/8/13/746
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1357588/+subscriptions
Follow ups
References