There's also a competing fix from Eric Biederman, and neither has gotten
picked up yet afaict. So I think it's probably best to wait for the dust
to settle and see which one actually ends up in Linus's tree. Once that
happens I'll make sure we pick it up.
** Changed in: linux (Ubuntu)
Importance: Undecided => High
** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Seth Forshee (sforshee)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1357588
Title:
3.13.0-24 broke nested unprivileged LXC
Status in “linux” package in Ubuntu:
Confirmed
Bug description:
The recent security update kernel broke nested unprivileged LXC containers as
those attempt to do the following:
access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console",
0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console",
0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
The user visible error looks like:
lxc-start: Operation not permitted - failed to mount '/dev/console' on
'/usr/lib/x86_64-linux-gnu/lxc/dev/console'
lxc-start 1408142401.327 DEBUG lxc_conf - remounting /dev/console on
/usr/lib/x86_64-linux-gnu/lxc/dev/console to respect bind or remount options
lxc-start 1408142401.327 ERROR lxc_conf - Operation not permitted - failed
to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'
Followed by a complete failure to start the container.
access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console",
0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console",
0x7fff406cd9e9, MS_REMOUNT|MS_BIND,
NULaccess("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console",
0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console",
0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
L) = -1 EPERM (Operation not permitted)
As far as I can tell, LXC isn't doing anything particularly wrong
there and this should succeed. Serge suggested we attempt to pass
MS_NODEV to the remount call but that didn't help either.
There are good chances the following upstream patch fixes this:
http://lkml.org/lkml/2014/8/13/746
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1357588/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
