| 2016-04-15 14:41:53 |
Seth Forshee |
bug |
|
|
added bug |
| 2016-04-15 14:42:03 |
Seth Forshee |
nominated for series |
|
Ubuntu Xenial |
|
| 2016-04-15 14:42:03 |
Seth Forshee |
bug task added |
|
linux (Ubuntu Xenial) |
|
| 2016-04-15 14:44:26 |
Seth Forshee |
bug |
|
|
added subscriber Tycho Andersen |
| 2016-04-15 14:51:07 |
Seth Forshee |
description |
During a stateful lxd snapshot criu tries to mount sysfs for the container's network namespace from a different user namespace. This fails in xenial because sget() won't allow mounting the same super block in different user namespaces.
With sysfs there's no reason that this needs to use the same super block, so kernfs can be updated so that a super block with the same ns tag but in a different userns is not matched. The only other kernfs-based filesystem mountable from non-init user namespaces is cgroupfs, and it's already forcing kernfs to return different super blocks to avoid similar problems. In fact we can revert part of the cgroupfs changes to make this happen if we push this behavior into kernfs. |
SRU Justification:
Impact: Stateful lxd container snapshotting fails due to a failure to mount the container's sysfs in the host's user namespace. This is a regression.
Fix: Force kernfs to use a new super block for mounts in different user namespaces.
Test Case: "lxc snapshot --statefull <container>" fails in the current xenial kernel without the fix. It succeeds with the fix applied.
---
During a stateful lxd snapshot criu tries to mount sysfs for the container's network namespace from a different user namespace. This fails in xenial because sget() won't allow mounting the same super block in different user namespaces.
With sysfs there's no reason that this needs to use the same super block, so kernfs can be updated so that a super block with the same ns tag but in a different userns is not matched. The only other kernfs-based filesystem mountable from non-init user namespaces is cgroupfs, and it's already forcing kernfs to return different super blocks to avoid similar problems. In fact we can revert part of the cgroupfs changes to make this happen if we push this behavior into kernfs. |
|
| 2016-04-15 14:53:53 |
Seth Forshee |
description |
SRU Justification:
Impact: Stateful lxd container snapshotting fails due to a failure to mount the container's sysfs in the host's user namespace. This is a regression.
Fix: Force kernfs to use a new super block for mounts in different user namespaces.
Test Case: "lxc snapshot --statefull <container>" fails in the current xenial kernel without the fix. It succeeds with the fix applied.
---
During a stateful lxd snapshot criu tries to mount sysfs for the container's network namespace from a different user namespace. This fails in xenial because sget() won't allow mounting the same super block in different user namespaces.
With sysfs there's no reason that this needs to use the same super block, so kernfs can be updated so that a super block with the same ns tag but in a different userns is not matched. The only other kernfs-based filesystem mountable from non-init user namespaces is cgroupfs, and it's already forcing kernfs to return different super blocks to avoid similar problems. In fact we can revert part of the cgroupfs changes to make this happen if we push this behavior into kernfs. |
SRU Justification:
Impact: Stateful lxd container snapshotting fails due to a failure to mount the container's sysfs in the host's user namespace. This is a regression.
Fix: Force kernfs to use a new super block for mounts in different user namespaces.
Test Case: "lxc snapshot --stateful <container>" fails in the current xenial kernel without the fix. It succeeds with the fix applied.
---
During a stateful lxd snapshot criu tries to mount sysfs for the container's network namespace from a different user namespace. This fails in xenial because sget() won't allow mounting the same super block in different user namespaces.
With sysfs there's no reason that this needs to use the same super block, so kernfs can be updated so that a super block with the same ns tag but in a different userns is not matched. The only other kernfs-based filesystem mountable from non-init user namespaces is cgroupfs, and it's already forcing kernfs to return different super blocks to avoid similar problems. In fact we can revert part of the cgroupfs changes to make this happen if we push this behavior into kernfs. |
|
| 2016-04-15 15:16:27 |
Seth Forshee |
description |
SRU Justification:
Impact: Stateful lxd container snapshotting fails due to a failure to mount the container's sysfs in the host's user namespace. This is a regression.
Fix: Force kernfs to use a new super block for mounts in different user namespaces.
Test Case: "lxc snapshot --stateful <container>" fails in the current xenial kernel without the fix. It succeeds with the fix applied.
---
During a stateful lxd snapshot criu tries to mount sysfs for the container's network namespace from a different user namespace. This fails in xenial because sget() won't allow mounting the same super block in different user namespaces.
With sysfs there's no reason that this needs to use the same super block, so kernfs can be updated so that a super block with the same ns tag but in a different userns is not matched. The only other kernfs-based filesystem mountable from non-init user namespaces is cgroupfs, and it's already forcing kernfs to return different super blocks to avoid similar problems. In fact we can revert part of the cgroupfs changes to make this happen if we push this behavior into kernfs. |
SRU Justification:
Impact: Stateful lxd container snapshotting fails due to a failure to mount the container's sysfs in the host's user namespace. This is a regression.
Fix: Force kernfs to use a new super block for mounts in different user namespaces.
Test Case: "lxc snapshot --stateful <container>" fails in the current xenial kernel without the fix. It succeeds with the fix applied.
---
During a stateful lxd snapshot criu tries to mount sysfs for the container's network namespace from a different user namespace. This fails in xenial because sget() won't allow mounting the same super block in different user namespaces.
With sysfs there's no reason that this needs to use the same super block, so kernfs can be updated so that a super block with the same ns tag but in a different userns is not matched. The only other kernfs-based filesystem mountable from non-init user namespaces is cgroupfs, and it's already forcing kernfs to return different super blocks to avoid similar problems. |
|
| 2016-04-15 20:22:26 |
Tim Gardner |
linux (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2016-04-19 18:39:47 |
Launchpad Janitor |
linux (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2016-04-19 18:39:47 |
Launchpad Janitor |
cve linked |
|
2016-2847 |
|
