[Kernel-packages] [Bug 1357588] [NEW] 3.13.0-24 broke nested unprivileged LXC

Fri, 15 Aug 2014 16:31:38 -0700 

Public bug reported:

The recent security update kernel broke nested unprivileged LXC containers as 
those attempt to do the following:
access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)

The user visible error looks like:
lxc-start: Operation not permitted - failed to mount '/dev/console' on 
'/usr/lib/x86_64-linux-gnu/lxc/dev/console'
lxc-start 1408142401.327 DEBUG    lxc_conf - remounting /dev/console on 
/usr/lib/x86_64-linux-gnu/lxc/dev/console to respect bind or remount options
lxc-start 1408142401.327 ERROR    lxc_conf - Operation not permitted - failed 
to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'

Followed by a complete failure to start the container.
access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_REMOUNT|MS_BIND, 
NULaccess("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
L) = -1 EPERM (Operation not permitted)

As far as I can tell, LXC isn't doing anything particularly wrong there
and this should succeed. Serge suggested we attempt to pass MS_NODEV to
the remount call but that didn't help either.

There are good chances the following upstream patch fixes this:
http://lkml.org/lkml/2014/8/13/746

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Incomplete


** Tags: bot-stop-nagging regression-update

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1357588

Title:
  3.13.0-24 broke nested unprivileged LXC

Status in “linux” package in Ubuntu:
  Incomplete

Bug description:
  The recent security update kernel broke nested unprivileged LXC containers as 
those attempt to do the following:
  access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_BIND, NULL) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)

  The user visible error looks like:
  lxc-start: Operation not permitted - failed to mount '/dev/console' on 
'/usr/lib/x86_64-linux-gnu/lxc/dev/console'
  lxc-start 1408142401.327 DEBUG    lxc_conf - remounting /dev/console on 
/usr/lib/x86_64-linux-gnu/lxc/dev/console to respect bind or remount options
  lxc-start 1408142401.327 ERROR    lxc_conf - Operation not permitted - failed 
to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'

  Followed by a complete failure to start the container.
  access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_BIND, NULL) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_REMOUNT|MS_BIND, 
NULaccess("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_BIND, NULL) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 
0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
  L) = -1 EPERM (Operation not permitted)

  As far as I can tell, LXC isn't doing anything particularly wrong
  there and this should succeed. Serge suggested we attempt to pass
  MS_NODEV to the remount call but that didn't help either.

  There are good chances the following upstream patch fixes this:
  http://lkml.org/lkml/2014/8/13/746

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1357588/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to