"overlayfs" no longer exists
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-initramfs-tools |
Fix Released
|
Medium
|
Scott Moser | ||
cloud-utils |
Fix Released
|
Medium
|
Unassigned | ||
cloud-initramfs-tools (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Yakkety |
Fix Released
|
Medium
|
Unassigned | ||
cloud-utils (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Chad Smith |
Bug Description
=== Begin SRU Template ===
[Impact]
The 16.10 kernel dropped a legacy kernel module alias that allowed usage of
the 'overlay' filesystem via name 'overlayfs'. This broke overlayroot as
it explicitly tried to to use 'overlayfs' by name in loading of modules and
also in entry in /etc/fstab.
Without this fix, overlayroot will simply not work on any upstream kernel
or Ubuntu kernel of 16.10 (yakkety) or later.
[Test Case]
Note, not applying proposed as shown in step 3 below will recreate failure.
1.) Start an instance of a cloud image.
2.) get a suitable 4.8 kernel
On 16.10 or later, this is already done. On 16.04, we currently need to
install the kernel team's PPA to get one.
$ sudo apt-add-repository -y ppa:canonical-
$ sudo apt update -q && sudo apt install -y linux-virtual-
3.) Enable proposed and install overlayroot to show fix.
$ rel=$(lsb_release -sc)
$ echo "deb http://
$ sudo tee /etc/apt/
$ sudo apt update -qy && sudo apt install -qy overlayroot </dev/null
$ dpkg-query --show overlayroot
overlayroot 0.27ubuntu1.3
4.) Enable overlayroot and reboot
# remove the cloud-init written mount options for /dev/vdb
# if we do not do this, then /mnt ends up not mounted due to ordering.
$ sudo sed -i.dist s/,x-systemd.
$ echo "overlayroot=tmpfs" | sudo tee /etc/overlayroo
$ sudo reboot
5.) log back in and look around.
a.) check that 'overlayroot' is in /proc/mounts
$ awk '$1 == "overlayroot" { print $0 }' /proc/mounts
overlayroot / overlay rw,relatime,
b.) check /run/initramfs/
$ grep success /run/initramfs/
[success]: configured root with 'tmpfs' using overlay per /dev/vda1/
6.) try with recurse disabled
Assuming you're on the same system and in an overlayroot, to change the
file necessary, we use overlayroot-chroot.
$ echo overlayroot=
$ sudo reboot
7.) log back in and look around.
This time the /mnt should not have overlay on it.
$ grep vdb /proc/mounts
/dev/vdb /mnt ext4 rw,relatime,
$ grep overlay /proc/mounts
overlayroot / overlay rw,relatime,
$ cat /etc/overlayroo
overlayroot
[Regression Potential]
The most likely regression is just in failure for overlayroot to work.
That was the case 100% of the time on any kernel without 'overlayfs'
filesystem, so this can't really make things worse from that perspective.
Some of the code change was related to fixing another issue, with 'recurse'.
Testing recurse (where not just / is mounted as an overlayroot) is done
above
echo overlayroot=
[Other Info]
The full overlayroot/
specific change that fixed the issue is in revision 115 at [2].
Related bugs:
* bug 1630274 adjusted the mechanism for determining if overlay was supported.
The change to do so is included in the xenial backport for this bug.
[1] http://
[2] http://
=== End SRU Template ===
As mentioned in LP: #1411294, it's now called 'overlay' instead of 'overlayfs'.
Ubuntu had patched the kernel for compatibility.
The Ubuntu kernels as of 4.8 (16.10 kernel) and possibly a bit before no longer have a overlayfs module either. Thus, this is now affecting yakkety.
(The original reporter is @~gpo-9.)
Related branches
- Paride Legovini (community): Approve
- Robert C Jennings (community): Approve
- Scott Moser (community): Approve
- Andreas Hasenack: Pending requested
-
Diff: 404 lines (+376/-0)4 files modifieddebian/changelog (+11/-0)
debian/patches/lp-1493188-support-overlay-filesystem (+240/-0)
debian/patches/lp-1630274-mount-overlay-first (+123/-0)
debian/patches/series (+2/-0)
information type: | Public → Public Security |
Changed in cloud-initramfs-tools (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
summary: |
- overlayroot doesn't work with vanilla kernel + "overlayfs" no longer exists |
description: | updated |
Changed in cloud-initramfs-tools: | |
assignee: | nobody → Scott Moser (smoser) |
status: | Confirmed → In Progress |
Changed in cloud-initramfs-tools (Ubuntu Xenial): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in cloud-utils (Ubuntu Xenial): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in cloud-initramfs-tools: | |
status: | In Progress → Fix Committed |
Changed in cloud-initramfs-tools: | |
status: | Fix Committed → Fix Released |
Changed in cloud-initramfs-tools (Ubuntu Xenial): | |
status: | Confirmed → In Progress |
description: | updated |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
description: | updated |
Changed in cloud-initramfs-tools (Ubuntu): | |
status: | Fix Released → Fix Committed |
assignee: | nobody → Chad Smith (chad.smith) |
status: | Fix Committed → Fix Released |
assignee: | Chad Smith (chad.smith) → nobody |
Changed in cloud-utils (Ubuntu Xenial): | |
assignee: | nobody → Chad Smith (chad.smith) |
status: | Confirmed → Fix Committed |
tags: |
added: verification-done verification-done-xenial removed: verification-needed verification-needed-xenial |
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.