please include the kernel module IPIP

Bug #1790605 reported by Oz123 on 2018-09-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-images
Undecided
Unassigned
linux-kvm (Ubuntu)
Undecided
Kamal Mostafa
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

In order to run calico with ubuntu cloud image one needs the ipip kernel module, which is unfortunately not present.

$ grep IPIP /boot/config-4.4.0-1032-kvm
# CONFIG_NET_IPIP is not set

Robert C Jennings (rcj) wrote :

The linux-image-kvm package is a stripped down kernel present by default only in the minimal images[1]. I will mark this bug for the linux-kvm package so that the kernel team can consider your request to add the IPIP module. In the interim you can install 'linux-image-generic' (or linux-image-virtual, if it is present) to use the IPIP module.

[1] https://cloud-images.ubuntu.com/minimal/daily/xenial/current/xenial-minimal-cloudimg-amd64.manifest

Changed in cloud-images:
status: New → Won't Fix
Robert C Jennings (rcj) wrote :

I have marked this as "Won't Fix" for cloud-image not to discourage you, it just isn't something that is changed via that project. The 'linux-kvm' project has been added and that would be the avenue to discuss this change.

Oz123 (nahumoz) wrote :

I understand that this is not something that be changed easily, and some discussion and consideration are needed.
I didn't know that linux-kvm is the correct place for that.

Changed in linux-kvm (Ubuntu):
assignee: nobody → Kamal Mostafa (kamalmostafa)
status: New → In Progress
Kamal Mostafa (kamalmostafa) wrote :

We will be happy to enable CONFIG_NET_IPIP in linux-kvm. Here's a linux-kvm test kernel with that enabled (built-in, not as a module). Please confirm that it enables your calico workflow:

http://kernel.ubuntu.com/~kamal/lp1790605/

Thanks, -Kamal

Oz123 (nahumoz) wrote :

Hi Kamal!
Thank for the quick response. I have downloaded the packages from the link, but I can't get them to install:

# ls
linux-cloud-tools-4.4.0-1034-kvm_4.4.0-1034.40~lp1790605.0_amd64.deb linux-image-4.4.0-1034-kvm_4.4.0-1034.40~lp1790605.0_amd64.deb
linux-headers-4.4.0-1034-kvm_4.4.0-1034.40~lp1790605.0_amd64.deb linux-tools-4.4.0-1034-kvm_4.4.0-1034.40~lp1790605.0_amd64.deb
root@test:/home/ubuntu# dpkg -i *.deb
(Reading database ... 16090 files and directories currently installed.)
Preparing to unpack linux-cloud-tools-4.4.0-1034-kvm_4.4.0-1034.40~lp1790605.0_amd64.deb ...
Unpacking linux-cloud-tools-4.4.0-1034-kvm (4.4.0-1034.40~lp1790605.0) over (4.4.0-1034.40~lp1790605.0) ...
Selecting previously unselected package linux-headers-4.4.0-1034-kvm.
Preparing to unpack linux-headers-4.4.0-1034-kvm_4.4.0-1034.40~lp1790605.0_amd64.deb ...
Unpacking linux-headers-4.4.0-1034-kvm (4.4.0-1034.40~lp1790605.0) ...
Preparing to unpack linux-image-4.4.0-1034-kvm_4.4.0-1034.40~lp1790605.0_amd64.deb ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
Done.
Unpacking linux-image-4.4.0-1034-kvm (4.4.0-1034.40~lp1790605.0) over (4.4.0-1034.40~lp1790605.0) ...
Examining /etc/kernel/postrm.d .
run-parts: executing /etc/kernel/postrm.d/initramfs-tools 4.4.0-1034-kvm /boot/vmlinuz-4.4.0-1034-kvm
run-parts: executing /etc/kernel/postrm.d/x-grub-legacy-ec2 4.4.0-1034-kvm /boot/vmlinuz-4.4.0-1034-kvm
run-parts: executing /etc/kernel/postrm.d/zz-update-grub 4.4.0-1034-kvm /boot/vmlinuz-4.4.0-1034-kvm
Selecting previously unselected package linux-tools-4.4.0-1034-kvm.
Preparing to unpack linux-tools-4.4.0-1034-kvm_4.4.0-1034.40~lp1790605.0_amd64.deb ...
Unpacking linux-tools-4.4.0-1034-kvm (4.4.0-1034.40~lp1790605.0) ...
dpkg: dependency problems prevent configuration of linux-cloud-tools-4.4.0-1034-kvm:
 linux-cloud-tools-4.4.0-1034-kvm depends on linux-kvm-cloud-tools-4.4.0-1034; however:
  Package linux-kvm-cloud-tools-4.4.0-1034 is not installed.

dpkg: error processing package linux-cloud-tools-4.4.0-1034-kvm (--install):
 dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of linux-headers-4.4.0-1034-kvm:
 linux-headers-4.4.0-1034-kvm depends on linux-kvm-headers-4.4.0-1034; however:
  Package linux-kvm-headers-4.4.0-1034 is not installed.

Kamal Mostafa (kamalmostafa) wrote :

Oops, I should have provided explicit instructions, sorry... In fact, it *did* install the main kernel image package (linux-image-4.4.0-1034-kvm). The other packages aren't necessary (nor installable, as the dpkg errors indicate).

At this stage, you can run: sudo apt install -f ... apt will offer to clean up by removing those half-installed other packages (but should leave the new test kernel installed).

Oz123 (nahumoz) wrote :

Thank for the quick response. I have now built an OpenStack image with this kernel,

ubuntu@node-3-9dettelsau:~$ grep IPIP /boot/config-4.4.0-1034-kvm
CONFIG_NET_IPIP=y
ubuntu@node-3-9dettelsau:~$ uname -r
4.4.0-1034-kvm
ubuntu@node-3-9dettelsau:~$

I can definitely confirm this solved my problem:

$ kubectl logs calico-node-89th5 -n kube-system calico-node
2018-09-04 20:25:15.042 [INFO][9] startup.go 251: Early log level set to info
2018-09-04 20:25:15.042 [INFO][9] startup.go 271: Using HOSTNAME environment (lowercase) for node name
2018-09-04 20:25:15.042 [INFO][9] startup.go 279: Determined node name: node-2-9dettelsau
2018-09-04 20:25:15.060 [INFO][9] startup.go 101: Skipping datastore connection test
2018-09-04 20:25:15.063 [INFO][9] startup.go 352: Building new node resource Name="node-2-9dettelsau"
2018-09-04 20:25:15.063 [INFO][9] startup.go 367: Initialize BGP data
2018-09-04 20:25:15.064 [INFO][9] startup.go 564: Using autodetected IPv4 address on interface ens3: 10.32.192.57/24
2018-09-04 20:25:15.064 [INFO][9] startup.go 432: Node IPv4 changed, will check for conflicts
2018-09-04 20:25:15.067 [INFO][9] startup.go 627: No AS number configured on node resource, using global value
2018-09-04 20:25:15.388 [INFO][9] startup.go 510: FELIX_IPV6SUPPORT is false through environment variable
...
2018-09-04 20:25:57.938 [INFO][78] health.go 150: Overall health summary=&health.HealthReport{Live:true, Ready:true}
2018-09-04 20:25:58.920 [INFO][78] int_dataplane.go 733: Applying dataplane updates
2018-09-04 20:25:58.920 [INFO][78] ipsets.go 222: Asked to resync with the dataplane on next update. family="inet"
2018-09-04 20:25:58.920 [INFO][78] ipsets.go 253: Resyncing ipsets with dataplane. family="inet"
2018-09-04 20:25:58.923 [INFO][78] ipsets.go 295: Finished resync family="inet" numInconsistenciesFound=0 resyncDuration=2.5291ms
2018-09-04 20:25:58.923 [INFO][78] int_dataplane.go 747: Finished applying updates to dataplane. msecToApply=3.040977
2018-09-04 20:26:02.876 [INFO][78] health.go 150: Overall health summary=&health.HealthReport{Live:true, Ready:true}

Thanks! Looking forward to see this in the next build

Changed in linux-kvm (Ubuntu Xenial):
status: New → In Progress
Changed in linux-kvm (Ubuntu Bionic):
status: New → In Progress
Changed in linux-kvm (Ubuntu Xenial):
status: In Progress → Fix Committed
Changed in linux-kvm (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux-kvm (Ubuntu):
status: In Progress → Fix Committed
Oz123 (nahumoz) wrote :

Question: how often do these images get built? When can I expect a new version in
https://cloud-images.ubuntu.com/minimal/releases/xenial/ ?

Robert C Jennings (rcj) wrote :

Oz123, release images are updated for kernel changes. The kernel track for this bug is in the 'Fix Committed' state which indicates that the kernel team has accepted a change into the kernel tree and they will be the kernel. You will need to wait for that to change to 'Fix Released' before a new kernel is available in the archive.

Launchpad Janitor (janitor) wrote :
Download full text (10.0 KiB)

This bug was fixed in the package linux-kvm - 4.4.0-1035.41

---------------
linux-kvm (4.4.0-1035.41) xenial; urgency=medium

  [ Ubuntu: 4.4.0-137.163 ]

  * CVE-2018-14633
    - iscsi target: Use hex2bin instead of a re-implementation
  * CVE-2018-17182
    - mm: get rid of vmacache_flush_all() entirely

linux-kvm (4.4.0-1034.40) xenial; urgency=medium

  * linux-kvm: 4.4.0-1034.40 -proposed tracker (LP: #1791751)

  * Xenial update to 4.4.141 stable release (LP: #1790620)
    - [config] updateconfigs for master changes

  * please include the kernel module IPIP (LP: #1790605)
    - kvm: [config] enable CONFIG_NET_IPIP

  [ Ubuntu: 4.4.0-136.162 ]

  * linux: 4.4.0-136.162 -proposed tracker (LP: #1791745)
  * CVE-2017-5753
    - bpf: properly enforce index mask to prevent out-of-bounds speculation
    - Revert "UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb()"
    - Revert "bpf: prevent speculative execution in eBPF interpreter"
  * L1TF mitigation not effective in some CPU and RAM combinations
    (LP: #1788563) // CVE-2018-3620 // CVE-2018-3646
    - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
    - x86/speculation/l1tf: Fix off-by-one error when warning that system has too
      much RAM
    - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
  * CVE-2018-15594
    - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests
  * Xenial update to 4.4.144 stable release (LP: #1791080)
    - KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in
      parallel.
    - x86/MCE: Remove min interval polling limitation
    - fat: fix memory allocation failure handling of match_strdup()
    - ALSA: rawmidi: Change resized buffers atomically
    - ARC: Fix CONFIG_SWAP
    - ARC: mm: allow mprotect to make stack mappings executable
    - mm: memcg: fix use after free in mem_cgroup_iter()
    - ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns
    - ipv6: fix useless rol32 call on hash
    - lib/rhashtable: consider param->min_size when setting initial table size
    - net/ipv4: Set oif in fib_compute_spec_dst
    - net: phy: fix flag masking in __set_phy_supported
    - ptp: fix missing break in switch
    - tg3: Add higher cpu clock for 5762.
    - net: Don't copy pfmemalloc flag in __copy_skb_header()
    - skbuff: Unconditionally copy pfmemalloc in __skb_clone()
    - xhci: Fix perceived dead host due to runtime suspend race with event handler
    - x86/paravirt: Make native_save_fl() extern inline
    - SAUCE: Add missing CPUID_7_EDX defines
    - SAUCE: x86/speculation: Expose indirect_branch_prediction_barrier()
    - x86/pti: Mark constant arrays as __initconst
    - x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs
    - x86/entry/64/compat: Clear registers for compat syscalls, to reduce
      speculation attack surface
    - x86/speculation: Clean up various Spectre related details
    - x86/speculation: Fix up array_index_nospec_mask() asm constraint
    - x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
    - x86/mm: Factor out LDT init from context init
    - x86/mm: Give each mm TLB flush generation a unique ID
    - SAUCE: x86/speculation: Use Indi...

Changed in linux-kvm (Ubuntu Xenial):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (23.8 KiB)

This bug was fixed in the package linux-kvm - 4.15.0-1023.23

---------------
linux-kvm (4.15.0-1023.23) bionic; urgency=medium

  [ Ubuntu: 4.15.0-36.39 ]

  * CVE-2018-14633
    - iscsi target: Use hex2bin instead of a re-implementation
  * CVE-2018-17182
    - mm: get rid of vmacache_flush_all() entirely

linux-kvm (4.15.0-1022.22) bionic; urgency=medium

  * linux-kvm: 4.15.0-1022.22 -proposed tracker (LP: #1791731)

  * [Regression] kernel crashdump fails on arm64 (LP: #1786878)
    - [Config] CONFIG_ARCH_SUPPORTS_ACPI=y

  * please include the kernel module IPIP (LP: #1790605)
    - kvm: [config] enable CONFIG_NET_IPIP

  [ Ubuntu: 4.15.0-35.38 ]

  * linux: 4.15.0-35.38 -proposed tracker (LP: #1791719)
  * device hotplug of vfio devices can lead to deadlock in vfio_pci_release
    (LP: #1792099)
    - SAUCE: vfio -- release device lock before userspace requests
  * L1TF mitigation not effective in some CPU and RAM combinations
    (LP: #1788563)
    - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
    - x86/speculation/l1tf: Fix off-by-one error when warning that system has too
      much RAM
    - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
  * CVE-2018-15594
    - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests
  * CVE-2017-5715 (Spectre v2 s390x)
    - KVM: s390: implement CPU model only facilities
    - s390: detect etoken facility
    - KVM: s390: add etoken support for guests
    - s390/lib: use expoline for all bcr instructions
    - s390: fix br_r1_trampoline for machines without exrl
    - SAUCE: s390: use expoline thunks for all branches generated by the BPF JIT
  * Ubuntu18.04.1: cpuidle: powernv: Fix promotion from snooze if next state
    disabled (performance) (LP: #1790602)
    - cpuidle: powernv: Fix promotion from snooze if next state disabled
  * Watchdog CPU:19 Hard LOCKUP when kernel crash was triggered (LP: #1790636)
    - powerpc: hard disable irqs in smp_send_stop loop
    - powerpc: Fix deadlock with multiple calls to smp_send_stop
    - powerpc: smp_send_stop do not offline stopped CPUs
    - powerpc/powernv: Fix opal_event_shutdown() called with interrupts disabled
  * Security fix: check if IOMMU page is contained in the pinned physical page
    (LP: #1785675)
    - vfio/spapr: Use IOMMU pageshift rather than pagesize
    - KVM: PPC: Check if IOMMU page is contained in the pinned physical page
  * Missing Intel GPU pci-id's (LP: #1789924)
    - drm/i915/kbl: Add KBL GT2 sku
    - drm/i915/whl: Introducing Whiskey Lake platform
    - drm/i915/aml: Introducing Amber Lake platform
    - drm/i915/cfl: Add a new CFL PCI ID.
  * CVE-2018-15572
    - x86/speculation: Protect against userspace-userspace spectreRSB
  * Support Power Management for Thunderbolt Controller (LP: #1789358)
    - thunderbolt: Handle NULL boot ACL entries properly
    - thunderbolt: Notify userspace when boot_acl is changed
    - thunderbolt: Use 64-bit DMA mask if supported by the platform
    - thunderbolt: Do not unnecessarily call ICM get route
    - thunderbolt: No need to take tb->lock in domain suspend/complete
    - thunderbolt: Use correct ICM commands in system suspend
    - thunderb...

Changed in linux-kvm (Ubuntu Bionic):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-kvm - 4.18.0-1002.2

---------------
linux-kvm (4.18.0-1002.2) cosmic; urgency=medium

  * linux-kvm: 4.18.0-1001.1 -proposed tracker (LP: #1795413)

  * Miscellaneous Ubuntu changes
    - kvm: [Config] CONFIG_HARDENED_USERCOPY=y
    - kvm: [Config] CONFIG_DEBUG_WX=y

 -- Seth Forshee <email address hidden> Mon, 01 Oct 2018 09:27:19 -0500

Changed in linux-kvm (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers