| 2012-08-07 19:15:15 |
Serge Hallyn |
bug |
|
|
added bug |
| 2012-08-07 19:16:19 |
Serge Hallyn |
bug task added |
|
linux (Ubuntu) |
|
| 2012-08-07 19:18:09 |
Serge Hallyn |
description |
Loading a kexec kernel is guarded by CAP_SYS_BOOT, which we allow a container to have.
A container can't do 'kexec -e' to actually execute the new kernel, because that requires a call to reboot which is refused. However, it can do kexec -l do load a kernel for the next kexec -e. This means that it could race with an admin on the host doing 'kexec -l; kexec -e'. Exact command line used in the container:
sudo kexec -l /boot/vmlinuz-3.5.0-5-generic --append=root=LABEL=cloudimg-rootfs --initrd=/boot/initrd.img-3.5.0-5-generic
Before this, kexec -e on the host gives:
Nothing has been loaded!
After this, it loads the new kernel.
There is a patch on lkml to prevent a task in non-init pid namespace (i.e. a container) from loading kexec kernels: https://lkml.org/lkml/2012/8/3/152. Please apply to precise and quantal.
After quantal, user namespaces will provide an alternative fix. |
Loading a kexec kernel is guarded by CAP_SYS_BOOT, which we allow a container to have.
A container can't do 'kexec -e' to actually execute the new kernel, because that requires a call to reboot which is refused. However, it can do kexec -l do load a kernel for the next kexec -e. This means that it could race with an admin on the host doing 'kexec -l; kexec -e'. Exact command line used in the container (after
copying /boot/* from the host to /var/lib/lxc/q1/rootfs/boot/ ) :
sudo kexec -l /boot/vmlinuz-3.5.0-5-generic --append=root=LABEL=cloudimg-rootfs --initrd=/boot/initrd.img-3.5.0-5-generic
Before this, kexec -e on the host gives:
Nothing has been loaded!
After this, it loads the new kernel.
There is a patch on lkml to prevent a task in non-init pid namespace (i.e. a container) from loading kexec kernels: https://lkml.org/lkml/2012/8/3/152. Please apply to precise and quantal.
After quantal, user namespaces will provide an alternative fix. |
|
| 2012-08-07 19:18:17 |
Serge Hallyn |
lxc (Ubuntu): status |
New |
Triaged |
|
| 2012-08-07 19:18:21 |
Serge Hallyn |
lxc (Ubuntu): importance |
Undecided |
High |
|
| 2012-08-07 19:30:07 |
Brad Figg |
linux (Ubuntu): status |
New |
Incomplete |
|
| 2012-08-07 19:30:09 |
Brad Figg |
tags |
|
quantal |
|
| 2012-08-07 19:37:58 |
Stéphane Graber |
linux (Ubuntu): status |
Incomplete |
Triaged |
|
| 2012-08-07 19:38:12 |
Stéphane Graber |
tags |
quantal |
bot-stop-nagging quantal |
|
| 2012-08-07 19:49:43 |
Joseph Salisbury |
linux (Ubuntu): importance |
Undecided |
High |
|
| 2012-08-07 19:50:01 |
Joseph Salisbury |
tags |
bot-stop-nagging quantal |
bot-stop-nagging kernel-key quantal |
|
| 2012-08-08 11:58:36 |
Tim Gardner |
linux (Ubuntu): status |
Triaged |
Fix Committed |
|
| 2012-08-08 11:58:36 |
Tim Gardner |
linux (Ubuntu): assignee |
|
Stefan Bader (stefan-bader-canonical) |
|
| 2012-08-08 11:58:51 |
Tim Gardner |
nominated for series |
|
Ubuntu Precise |
|
| 2012-08-08 11:58:51 |
Tim Gardner |
bug task added |
|
linux (Ubuntu Precise) |
|
| 2012-08-08 11:58:51 |
Tim Gardner |
bug task added |
|
lxc (Ubuntu Precise) |
|
| 2012-08-08 11:58:51 |
Tim Gardner |
nominated for series |
|
Ubuntu Quantal |
|
| 2012-08-08 11:58:51 |
Tim Gardner |
bug task added |
|
linux (Ubuntu Quantal) |
|
| 2012-08-08 11:58:51 |
Tim Gardner |
bug task added |
|
lxc (Ubuntu Quantal) |
|
| 2012-08-08 11:59:13 |
Tim Gardner |
linux (Ubuntu Precise): status |
New |
Fix Committed |
|
| 2012-08-08 11:59:13 |
Tim Gardner |
linux (Ubuntu Precise): assignee |
|
Stefan Bader (stefan-bader-canonical) |
|
| 2012-08-10 00:06:09 |
Launchpad Janitor |
linux (Ubuntu Quantal): status |
Fix Committed |
Fix Released |
|
| 2012-08-10 05:28:03 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/linux-lowlatency |
|
| 2012-08-16 18:07:25 |
Serge Hallyn |
lxc (Ubuntu Quantal): status |
Triaged |
Invalid |
|
| 2012-08-16 18:07:29 |
Serge Hallyn |
lxc (Ubuntu Precise): status |
New |
Invalid |
|
| 2012-08-16 18:07:37 |
Serge Hallyn |
lxc (Ubuntu Precise): status |
Invalid |
Won't Fix |
|
| 2012-08-16 18:07:41 |
Serge Hallyn |
lxc (Ubuntu Quantal): status |
Invalid |
Won't Fix |
|
| 2012-08-21 09:37:21 |
Luis Henriques |
tags |
bot-stop-nagging kernel-key quantal |
bot-stop-nagging kernel-key quantal verification-needed-precise |
|
| 2012-08-21 12:27:49 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/linux-ti-omap4 |
|
| 2012-08-21 12:34:29 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/linux-armadaxp |
|
| 2012-08-21 14:22:42 |
Serge Hallyn |
tags |
bot-stop-nagging kernel-key quantal verification-needed-precise |
bot-stop-nagging kernel-key quantal verification-done verification-done-precise |
|
| 2012-09-04 23:46:10 |
Launchpad Janitor |
linux (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
| 2012-11-14 21:30:44 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/linux-lowlatency |
|
