Bug #1659417 “docker permission issues with overlay2 storage dri... : Bugs : linux package : Ubuntu

Seth Forshee (sforshee) on 2017-01-25

Changed in linux (Ubuntu):
status:	New → Fix Released
Changed in linux (Ubuntu Xenial):
assignee:	nobody → Seth Forshee (sforshee)
importance:	Undecided → Medium
status:	New → In Progress

Seth Forshee (sforshee) on 2017-01-26

summary:

- docker gives "permission denied" errors with overlayfs in some scenarios
+ docker permission issues with overlay2 storage driver

Seth Forshee (sforshee) on 2017-01-26

description:

updated

Seth Forshee (sforshee) on 2017-02-02

description:

updated

Revision history for this message

Seth Forshee (sforshee) wrote on 2017-02-02:

#1

test.sh Edit (327 bytes, text/x-sh)

Attaching script to reproduce.

Thadeu Lima de Souza Cascardo (cascardo) on 2017-02-14

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Brad Figg (brad-figg) wrote on 2017-02-27:

#2

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-03-02:

#3

Download full text (14.5 KiB)

This bug was fixed in the package linux - 4.4.0-65.86

---------------
linux (4.4.0-65.86) xenial; urgency=low

* linux: 4.4.0-65.86 -proposed tracker (LP: #1667052)

  [ Stefan Bader ]
  * Upgrade Redpine RS9113 driver to support AP mode (LP: #1665211)
    - SAUCE: Redpine driver to support Host AP mode

  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * [Hyper-V] SAUCE: pci-hyperv fixes for SR-IOV on Azure (LP: #1665097)
    - SAUCE: PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal
    - SAUCE: pci-hyperv: properly handle pci bus remove
    - SAUCE: pci-hyperv: lock pci bus on device eject

  * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
    image (LP: #1650058)
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT
      transitions
    - net/mlx4_core: Avoid command timeouts during VF driver device shutdown

  * Xenial update to v4.4.49 stable release (LP: #1664960)
    - ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
    - selinux: fix off-by-one in setprocattr
    - Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback"
    - cpumask: use nr_cpumask_bits for parsing functions
    - hns: avoid stack overflow with CONFIG_KASAN
    - ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
    - target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
    - target: Use correct SCSI status during EXTENDED_COPY exception
    - target: Fix early transport_generic_handle_tmr abort scenario
    - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
    - ARM: 8642/1: LPAE: catch pending imprecise abort on unmask
    - mac80211: Fix adding of mesh vendor IEs
    - netvsc: Set maximum GSO size in the right place
    - scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed
      send
    - scsi: aacraid: Fix INTx/MSI-x issue with older controllers
    - scsi: mpt3sas: disable ASPM for MPI2 controllers
    - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
    - ALSA: seq: Fix race at creating a queue
    - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
    - drm/i915: fix use-after-free in page_flip_completed()
    - Linux 4.4.49

  * NFS client : kernel 4.4.0-57 crash with nfsv4 enries in /etc/fstab
    (LP: #1650336)
    - SUNRPC: fix refcounting problems with auth_gss messages.

* [0bda:0328] Card reader failed after S3 (LP: #1664809)
- usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

* ibmvscsis: Add SGL LIMIT (LP: #1662551)
- ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the ...

This bug was fixed in the package linux - 4.4.0-65.86

---------------
linux (4.4.0-65.86) xenial; urgency=low

* linux: 4.4.0-65.86 -proposed tracker (LP: #1667052)

[ Stefan Bader ]
  * Upgrade Redpine RS9113 driver to support AP mode (LP: #1665211)
    - SAUCE: Redpine driver to support Host AP mode

* NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

* [Hyper-V] SAUCE: pci-hyperv fixes for SR-IOV on Azure (LP: #1665097)
    - SAUCE: PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal
    - SAUCE: pci-hyperv: properly handle pci bus remove
    - SAUCE: pci-hyperv: lock pci bus on device eject

* [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
    image (LP: #1650058)
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT
      transitions
    - net/mlx4_core: Avoid command timeouts during VF driver device shutdown

* Xenial update to v4.4.49 stable release (LP: #1664960)
    - ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
    - selinux: fix off-by-one in setprocattr
    - Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback"
    - cpumask: use nr_cpumask_bits for parsing functions
    - hns: avoid stack overflow with CONFIG_KASAN
    - ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
    - target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
    - target: Use correct SCSI status during EXTENDED_COPY exception
    - target: Fix early transport_generic_handle_tmr abort scenario
    - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
    - ARM: 8642/1: LPAE: catch pending imprecise abort on unmask
    - mac80211: Fix adding of mesh vendor IEs
    - netvsc: Set maximum GSO size in the right place
    - scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed
      send
    - scsi: aacraid: Fix INTx/MSI-x issue with older controllers
    - scsi: mpt3sas: disable ASPM for MPI2 controllers
    - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
    - ALSA: seq: Fix race at creating a queue
    - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
    - drm/i915: fix use-after-free in page_flip_completed()
    - Linux 4.4.49

* NFS client : kernel 4.4.0-57 crash with nfsv4 enries in /etc/fstab
    (LP: #1650336)
    - SUNRPC: fix refcounting problems with auth_gss messages.

* [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

* linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

* ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

* [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the restriction on max segment size
    - scsi: storvsc: Enable multi-queue support
    - scsi: storvsc: use tagged SRB requests if supported by the device
    - scsi: storvsc: properly handle SRB_ERROR when sense message is present
    - scsi: storvsc: properly set residual data length on errors

* ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666)
    - blk-mq: Avoid memory reclaim when remapping queues
    - blk-mq: Fix failed allocation path when mapping queues

* Possible missing firmware /lib/firmware/i915/kbl_dmc_ver1.bin for module
    i915_bpo (LP: #1624164)
    - SAUCE: i915_bpo: Remove MODULE_FIRMWARE statement for i915/kbl_dmc_ver1.bin

*  Intel I210 ethernet does not work both after S3 (LP: #1662763)
    - igb: implement igb_ptp_suspend
    - igb: call igb_ptp_suspend during suspend/resume cycle

* [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430)
    - Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
    - Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the host
    - Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()

* brd module compiled as built-in (LP: #1593293)
    - [Config] CONFIG_BLK_DEV_RAM=m

* regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in complain mode

* Permission denied and inconsistent behavior in complain mode with 'ip netns
    list' command (LP: #1648903)
    - SAUCE: fix regression with domain change in complain mode

* flock not mediated by 'k' (LP: #1658219)
    - SAUCE: apparmor: flock mediation is not being enforced on cache check

* unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
    from a unshared mount namespace (LP: #1656121)
    - SAUCE: apparmor: null profiles should inherit parent control flags

* apparmor refcount leak of profile namespace when removing profiles
    (LP: #1660849)
    - SAUCE: apparmor: fix ns ref count link when removing profiles from policy

* tor in lxd: apparmor="DENIED" operation="change_onexec"
    namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
    name="system_tor" (LP: #1648143)
    - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked
      namespaces

* apparmor_parser hangs indefinitely when called by multiple threads
    (LP: #1645037)
    - SAUCE: apparmor: fix lock ordering for mkdir

* apparmor leaking securityfs pin count (LP: #1660846)
    - SAUCE: apparmor: fix leak on securityfs pin count

* apparmor reference count leak when securityfs_setup_d_inode\ () fails
    (LP: #1660845)
    - SAUCE: apparmor: fix reference count leak when securityfs_setup_d_inode()
      fails

* apparmor not checking error if security_pin_fs() fails (LP: #1660842)
    - SAUCE: apparmor: fix not handling error case when securityfs_pin_fs() fails

* apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
    - SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

* apparmor  auditing denied access of special apparmor .null fi\ le
    (LP: #1660836)
    - SAUCE: apparmor: Don't audit denied access of special apparmor .null file

* apparmor label leak when new label is unused (LP: #1660834)
    - SAUCE: apparmor: fix label leak when new label is unused

* apparmor reference count bug in label_merge_insert() (LP: #1660833)
    - SAUCE: apparmor: fix reference count bug in label_merge_insert()

* apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
    - SAUCE: apparmor: fix replacement race in reading rawdata

* unix domain socket cross permission check failing with nested namespaces
    (LP: #1660832)
    - SAUCE: apparmor: fix cross ns perm of unix domain sockets

* docker permission issues with overlay2 storage driver (LP: #1659417)
    - SAUCE: overlayfs: Replace ovl_prepare_creds() with ovl_override_creds()
    - Revert "UBUNTU: SAUCE: cred: Add clone_cred() interface"
    - ovl: check mounter creds on underlying lookup

* Enable CONFIG_NET_DROP_MONITOR=m in Ubuntu Kernel (LP: #1660634)
    - [Config] CONFIG_NET_DROP_MONITOR=m

* Xenial update to v4.4.48 stable release (LP: #1663657)
    - PCI/ASPM: Handle PCI-to-PCIe bridges as roots of PCIe hierarchies
    - ext4: validate s_first_meta_bg at mount time
    - drm/nouveau/disp/gt215: Fix HDA ELD handling (thus, HDMI audio) on gt215
    - drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval
    - crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
    - crypto: arm64/aes-blk - honour iv_out requirement in CBC and CTR modes
    - perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory
    - ata: sata_mv:- Handle return value of devm_ioremap.
    - libata: apply MAX_SEC_1024 to all CX1-JB*-HP devices
    - powerpc/eeh: Fix wrong flag passed to eeh_unfreeze_pe()
    - powerpc: Add missing error check to prom_find_boot_cpu()
    - NFSD: Fix a null reference case in find_or_create_lock_stateid()
    - svcrpc: fix oops in absence of krb5 module
    - zswap: disable changing params if init fails
    - cifs: initialize file_info_lock
    - mm/memory_hotplug.c: check start_pfn in test_pages_in_a_zone()
    - mm, fs: check for fatal signals in do_generic_file_read()
    - can: bcm: fix hrtimer/tasklet termination in bcm op removal
    - mmc: sdhci: Ignore unexpected CARD_INT interrupts
    - percpu-refcount: fix reference leak during percpu-atomic transition
    - HID: wacom: Fix poor prox handling in 'wacom_pl_irq'
    - KVM: x86: do not save guest-unsupported XSAVE state
    - USB: serial: qcserial: add Dell DW5570 QDL
    - USB: serial: pl2303: add ATEN device ID
    - USB: Add quirk for WORLDE easykey.25 MIDI keyboard
    - usb: gadget: f_fs: Assorted buffer overflow checks.
    - USB: serial: option: add device ID for HP lt2523 (Novatel E371)
    - x86/irq: Make irq activate operations symmetric
    - base/memory, hotplug: fix a kernel oops in show_valid_zones()
    - Linux 4.4.48

* Xenial update to v4.4.47 stable release (LP: #1662507)
    - r8152: fix the sw rx checksum is unavailable
    - mlxsw: spectrum: Fix memory leak at skb reallocation
    - mlxsw: switchx2: Fix memory leak at skb reallocation
    - mlxsw: pci: Fix EQE structure definition
    - net: lwtunnel: Handle lwtunnel_fill_encap failure
    - net: ipv4: fix table id in getroute response
    - net: systemport: Decouple flow control from __bcm_sysport_tx_reclaim
    - tcp: fix tcp_fastopen unaligned access complaints on sparc
    - openvswitch: maintain correct checksum state in conntrack actions
    - ravb: do not use zero-length alignment DMA descriptor
    - ax25: Fix segfault after sock connection timeout
    - net: fix harmonize_features() vs NETIF_F_HIGHDMA
    - net: phy: bcm63xx: Utilize correct config_intr function
    - ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
    - tcp: initialize max window for a new fastopen socket
    - bridge: netlink: call br_changelink() during br_dev_newlink()
    - r8152: don't execute runtime suspend if the tx is not empty
    - af_unix: move unix_mknod() out of bindlock
    - qmi_wwan/cdc_ether: add device ID for HP lt2523 (Novatel E371) WWAN card
    - net: dsa: Bring back device detaching in dsa_slave_suspend()
    - Linux 4.4.47

* Xenial update to v4.4.46 stable release (LP: #1660994)
    - fbdev: color map copying bounds checking
    - tile/ptrace: Preserve previous registers for short regset write
    - drm: Fix broken VT switch with video=1366x768 option
    - mm/mempolicy.c: do not put mempolicy before using its nodemask
    - sysctl: fix proc_doulongvec_ms_jiffies_minmax()
    - ISDN: eicon: silence misleading array-bounds warning
    - RDMA/cma: Fix unknown symbol when CONFIG_IPV6 is not enabled
    - s390/ptrace: Preserve previous registers for short regset write
    - can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer
    - can: ti_hecc: add missing prepare and unprepare of the clock
    - ARC: udelay: fix inline assembler by adding LP_COUNT to clobber list
    - ARC: [arcompact] handle unaligned access delay slot corner case
    - parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header
    - nfs: Don't increment lock sequence ID after NFS4ERR_MOVED
    - NFSv4.0: always send mode in SETATTR after EXCLUSIVE4
    - SUNRPC: cleanup ida information when removing sunrpc module
    - drm/i915: Don't leak edid in intel_crt_detect_ddc()
    - IB/ipoib: move back IB LL address into the hard header
    - IB/umem: Release pid in error and ODP flow
    - s5k4ecgx: select CRC32 helper
    - pinctrl: broxton: Use correct PADCFGLOCK offset
    - platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT
    - mm, memcg: do not retry precharge charges
    - Linux 4.4.46

* Xenial update to v4.4.45 stable release (LP: #1660993)
    - ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to
      it
    - IB/mlx5: Wait for all async command completions to complete
    - IB/mlx4: Set traffic class in AH
    - IB/mlx4: Fix out-of-range array index in destroy qp flow
    - IB/mlx4: Fix port query for 56Gb Ethernet links
    - IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs
    - IB/IPoIB: Remove can't use GFP_NOIO warning
    - perf scripting: Avoid leaking the scripting_context variable
    - ARM: dts: imx31: fix clock control module interrupts description
    - ARM: dts: imx31: move CCM device node to AIPS2 bus devices
    - ARM: dts: imx31: fix AVIC base address
    - tmpfs: clear S_ISGID when setting posix ACLs
    - x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
    - svcrpc: don't leak contexts on PROC_DESTROY
    - fuse: clear FR_PENDING flag when moving requests out of pending queue
    - PCI: Enumerate switches below PCI-to-PCIe bridges
    - HID: corsair: fix DMA buffers on stack
    - HID: corsair: fix control-transfer error handling
    - mmc: mxs-mmc: Fix additional cycles after transmission stop
    - ieee802154: atusb: do not use the stack for buffers to make them DMA able
    - mtd: nand: xway: disable module support
    - x86/ioapic: Restore IO-APIC irq_chip retrigger callback
    - qla2xxx: Fix crash due to null pointer access
    - ubifs: Fix journal replay wrt. xattr nodes
    - clocksource/exynos_mct: Clear interrupt when cpu is shut down
    - svcrdma: avoid duplicate dma unmapping during error recovery
    - ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
    - ceph: fix bad endianness handling in parse_reply_info_extra
    - ARM: dts: da850-evm: fix read access to SPI flash
    - arm64/ptrace: Preserve previous registers for short regset write
    - arm64/ptrace: Preserve previous registers for short regset write - 2
    - arm64/ptrace: Preserve previous registers for short regset write - 3
    - arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
    - arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
    - ARM: dts: imx6qdl-nitrogen6_max: fix sgtl5000 pinctrl init
    - ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation
    - ARM: 8613/1: Fix the uaccess crash on PB11MPCore
    - blackfin: check devm_pinctrl_get() for errors
    - ite-cir: initialize use_demodulator before using it
    - dmaengine: pl330: Fix runtime PM support for terminated transfers
    - selftest/powerpc: Wrong PMC initialized in pmc56_overflow test
    - arm64: avoid returning from bad_mode
    - Linux 4.4.45

-- Thadeu Lima de Souza Cascardo <cascardo@canonical.com>  Thu, 23 Feb 2017 12:37:21 -0300

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Revision history for this message

Seth Forshee (sforshee) wrote on 2017-03-09:

#4

Verified that the bug is fixed in 4.4.0-67.88.

tags:

added: verification-done-xenial
removed: verification-needed-xenial

Ubuntu
linux package

docker permission issues with overlay2 storage driver

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Medium	Seth Forshee
	Xenial	Fix Released	Medium	Seth Forshee

Ubuntulinux package

docker permission issues with overlay2 storage driver

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package