containers can load a kernel to kexec

Bug #1034125 reported by Serge Hallyn
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Stefan Bader
Precise
Fix Released
Undecided
Stefan Bader
Quantal
Fix Released
High
Stefan Bader
lxc (Ubuntu)
Invalid
High
Unassigned
Precise
Won't Fix
Undecided
Unassigned
Quantal
Won't Fix
High
Unassigned

Bug Description

Loading a kexec kernel is guarded by CAP_SYS_BOOT, which we allow a container to have.

A container can't do 'kexec -e' to actually execute the new kernel, because that requires a call to reboot which is refused. However, it can do kexec -l do load a kernel for the next kexec -e. This means that it could race with an admin on the host doing 'kexec -l; kexec -e'. Exact command line used in the container (after
copying /boot/* from the host to /var/lib/lxc/q1/rootfs/boot/ ) :

sudo kexec -l /boot/vmlinuz-3.5.0-5-generic --append=root=LABEL=cloudimg-rootfs --initrd=/boot/initrd.img-3.5.0-5-generic

Before this, kexec -e on the host gives:

Nothing has been loaded!

After this, it loads the new kernel.

There is a patch on lkml to prevent a task in non-init pid namespace (i.e. a container) from loading kexec kernels: https://lkml.org/lkml/2012/8/3/152. Please apply to precise and quantal.

After quantal, user namespaces will provide an alternative fix.

description: updated
Changed in lxc (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1034125

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: quantal
Revision history for this message
Stéphane Graber (stgraber) wrote :

Setting bot-stop-nagging. A patch was sent upstream and forwarded to the ubuntu kernel team.

Changed in linux (Ubuntu):
status: Incomplete → Triaged
tags: added: bot-stop-nagging
Changed in linux (Ubuntu):
importance: Undecided → High
tags: added: kernel-key
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu):
assignee: nobody → Stefan Bader (stefan-bader-canonical)
status: Triaged → Fix Committed
Changed in linux (Ubuntu Precise):
assignee: nobody → Stefan Bader (stefan-bader-canonical)
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.5.0-9.9

---------------
linux (3.5.0-9.9) quantal-proposed; urgency=low

  [ Daniel P. Berrange ]

  * SAUCE: (drop after 3.6) Forbid invocation of kexec_load() outside
    initial PID namespace
    - LP: #1034125

  [ Douglas Bagnall ]

  * SAUCE: Unlock the rc_dev lock when the raw device is missing
    - LP: #1015836

  [ Ike Panhc ]

  * [Config] Enable EDAC/CLK for highbank
    - LP: #1008345

  [ Leann Ogasawara ]

  * Revert "ubuntu: AUFS -- reenable"

  [ Rob Herring ]

  * SAUCE: net: calxedaxgmac: add write barriers around setting owner bit
    - LP: #1008345
  * SAUCE: ARM smp_twd: add back "arm,smp-twd" compatible property
    - LP: #1008345
  * SAUCE: ARM: highbank: add soft power and reset key event handling
    - LP: #1008345
  * SAUCE: ARM: highbank: use writel_relaxed variant for pwr requests
    - LP: #1008345
  * SAUCE: ahci: un-staticize ahci_dev_classify
    - LP: #1008345
  * SAUCE: ahci_platform: add custom hard reset for Calxeda ahci ctrlr
    - LP: #1008345

  [ Upstream Kernel Changes ]

  * rt2x00: Add support for BUFFALO WLI-UC-GNM2 to rt2800usb.
    - LP: #871904
  * Avoid sysfs oops when an rc_dev's raw device is absent
    - LP: #1015836
  * eCryptfs: Copy up POSIX ACL and read-only flags from lower mount
  * clk: add DT clock binding support
    - LP: #1008345
  * clk: add DT fixed-clock binding support
    - LP: #1008345
  * clk: add highbank clock support
  * edac: add support for Calxeda highbank memory controller
    - LP: #1008345
  * edac: add support for Calxeda highbank L2 cache ecc
    - LP: #1008345
  * net: calxedaxgmac: enable rx cut-thru mode
    - LP: #1008345
  * net: calxedaxgmac: fix hang on rx refill
    - LP: #1008345
  * eCryptfs: Revert to a writethrough cache model
    - LP: #1034012
  * eCryptfs: Initialize empty lower files when opening them
    - LP: #911507
  * eCryptfs: Unlink lower inode when ecryptfs_create() fails
    - LP: #872905
 -- Leann Ogasawara <email address hidden> Wed, 08 Aug 2012 08:39:42 -0700

Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released
Changed in lxc (Ubuntu Quantal):
status: Triaged → Invalid
Changed in lxc (Ubuntu Precise):
status: New → Invalid
status: Invalid → Won't Fix
Changed in lxc (Ubuntu Quantal):
status: Invalid → Won't Fix
Revision history for this message
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for Precise in -proposed solves the problem (3.2.0-30.47). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Verified, with 3.2.0-30.47 kexec -l in a container fails.

tags: added: verification-done verification-done-precise
removed: verification-needed-precise
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (13.6 KiB)

This bug was fixed in the package linux - 3.2.0-30.48

---------------
linux (3.2.0-30.48) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1041217

  [ Upstream Kernel Changes ]

  * mutex: Place lock in contended state after fastpath_lock failure
    - LP: #1041114

linux (3.2.0-30.47) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1036581

  [ Andy Whitcroft ]

  * add support for generating binary device trees and install them in
    /lib/firmware
    - LP: #1030600
  * [Config] add dtb_file configuration for highbank
    - LP: #1030600

  [ Chris Van Hoof ]

  * SAUCE: dell-laptop: additional rfkill blacklist Dell XPS 13
    - LP: #1030957
  * [Config] Add cifs support to the nfs-modules list
    - LP: #1031398

  [ Daniel P. Berrange ]

  * SAUCE: (drop after 3.6) Forbid invocation of kexec_load() outside
    initial PID namespace
    - LP: #1034125

  [ Dann Frazier ]

  * [Config] Compile the rtc-pl031 driver builtin on the highbank kernel
    flavour
    - LP: #1035110

  [ Douglas Bagnall ]

  * SAUCE: Unlock the rc_dev lock when the raw device is missing
    - LP: #1015836

  [ Rob Herring ]

  * SAUCE: ARM: highbank: add soft power and reset key event handling
    - LP: #1033853
  * SAUCE: ARM: highbank: use writel_relaxed variant for pwr requests
    - LP: #1033853
  * SAUCE: ahci: un-staticize ahci_dev_classify
    - LP: #1033853
  * SAUCE: ahci_platform: add custom hard reset for Calxeda ahci ctrlr
    - LP: #1033853

  [ Stefan Bader ]

  * (pre-stable) KVM: VMX: Set CPU_BASED_RDPMC_EXITING for nested
    - LP: #1031090

  [ Tim Gardner ]

  * [Config] updateconfigs

  [ Upstream Kernel Changes ]

  * ideapad: generate valid key event only
    - LP: #1029834
  * mm: reduce the amount of work done when updating min_free_kbytes
    - LP: #1032640
  * mm: compaction: allow compaction to isolate dirty pages
    - LP: #1032640
  * mm: compaction: determine if dirty pages can be migrated without
    blocking within ->migratepage
    - LP: #1032640
  * mm: page allocator: do not call direct reclaim for THP allocations
    while compaction is deferred
    - LP: #1032640
  * mm: compaction: make isolate_lru_page() filter-aware again
    - LP: #1032640
  * mm: compaction: introduce sync-light migration for use by compaction
    - LP: #1032640
  * mm: vmscan: when reclaiming for compaction, ensure there are sufficient
    free pages available
    - LP: #1032640
  * mm: vmscan: do not OOM if aborting reclaim to start compaction
    - LP: #1032640
  * mm: vmscan: check if reclaim should really abort even if
    compaction_ready() is true for one zone
    - LP: #1032640
  * vmscan: promote shared file mapped pages
    - LP: #1032640
  * vmscan: activate executable pages after first usage
    - LP: #1032640
  * mm/vmscan.c: consider swap space when deciding whether to continue
    reclaim
    - LP: #1032640
  * mm: test PageSwapBacked in lumpy reclaim
    - LP: #1032640
  * mm: vmscan: convert global reclaim to per-memcg LRU lists
    - LP: #1032640
  * cpuset: mm: reduce large amounts of memory barrier related damage v3
    - LP: #1032640
  * mm/hugetlb: fix warni...

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.