"overlayfs" no longer exists
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | cloud-initramfs-tools |
Medium
|
Scott Moser | ||
| | cloud-utils |
Medium
|
Unassigned | ||
| | cloud-initramfs-tools (Ubuntu) |
Medium
|
Unassigned | ||
| | Xenial |
Medium
|
Unassigned | ||
| | Yakkety |
Medium
|
Unassigned | ||
| | cloud-utils (Ubuntu) |
Medium
|
Unassigned | ||
| | Xenial |
Medium
|
Unassigned | ||
Bug Description
=== Begin SRU Template ===
[Impact]
The 16.10 kernel dropped a legacy kernel module alias that allowed usage of
the 'overlay' filesystem via name 'overlayfs'. This broke overlayroot as
it explicitly tried to to use 'overlayfs' by name in loading of modules and
also in entry in /etc/fstab.
Without this fix, overlayroot will simply not work on any upstream kernel
or Ubuntu kernel of 16.10 (yakkety) or later.
[Test Case]
Note, not applying proposed as shown in step 3 below will recreate failure.
1.) Start an instance of a cloud image.
2.) get a suitable 4.8 kernel
On 16.10 or later, this is already done. On 16.04, we currently need to
install the kernel team's PPA to get one.
$ sudo apt-add-repository -y ppa:canonical-
$ sudo apt update -q && sudo apt install -y linux-virtual-
3.) Enable proposed and install overlayroot to show fix.
$ rel=$(lsb_release -sc)
$ echo "deb http://
$ sudo tee /etc/apt/
$ sudo apt update -qy && sudo apt install -qy overlayroot </dev/null
$ dpkg-query --show overlayroot
overlayroot 0.27ubuntu1.3
4.) Enable overlayroot and reboot
# remove the cloud-init written mount options for /dev/vdb
# if we do not do this, then /mnt ends up not mounted due to ordering.
$ sudo sed -i.dist s/,x-systemd.
$ echo "overlayroot=tmpfs" | sudo tee /etc/overlayroo
$ sudo reboot
5.) log back in and look around.
a.) check that 'overlayroot' is in /proc/mounts
$ awk '$1 == "overlayroot" { print $0 }' /proc/mounts
overlayroot / overlay rw,relatime,
b.) check /run/initramfs/
$ grep success /run/initramfs/
[success]: configured root with 'tmpfs' using overlay per /dev/vda1/
6.) try with recurse disabled
Assuming you're on the same system and in an overlayroot, to change the
file necessary, we use overlayroot-chroot.
$ echo overlayroot=
$ sudo reboot
7.) log back in and look around.
This time the /mnt should not have overlay on it.
$ grep vdb /proc/mounts
/dev/vdb /mnt ext4 rw,relatime,
$ grep overlay /proc/mounts
overlayroot / overlay rw,relatime,
$ cat /etc/overlayroo
overlayroot
[Regression Potential]
The most likely regression is just in failure for overlayroot to work.
That was the case 100% of the time on any kernel without 'overlayfs'
filesystem, so this can't really make things worse from that perspective.
Some of the code change was related to fixing another issue, with 'recurse'.
Testing recurse (where not just / is mounted as an overlayroot) is done
above
echo overlayroot=
[Other Info]
The full overlayroot/
specific change that fixed the issue is in revision 115 at [2].
[1] http://
[2] http://
=== End SRU Template ===
As mentioned in LP: #1411294, it's now called 'overlay' instead of 'overlayfs'.
Ubuntu had patched the kernel for compatibility.
The Ubuntu kernels as of 4.8 (16.10 kernel) and possibly a bit before no longer have a overlayfs module either. Thus, this is now affecting yakkety.
(The original reporter is @~gpo-9.)
| information type: | Public → Public Security |
| information type: | Public Security → Public |
Oh, sorry, I don't mean to set it as a 'security' bug.
Thanks!
| Changed in cloud-initramfs-tools (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| Scott Moser (smoser) wrote : | #3 |
I've marked cloud-utils as relevant here tto fix mount-image-
| Changed in cloud-initramfs-tools: | |
| status: | New → Confirmed |
| Changed in cloud-utils: | |
| status: | New → Confirmed |
| Changed in cloud-utils (Ubuntu): | |
| status: | New → Confirmed |
| Changed in cloud-initramfs-tools: | |
| importance: | Undecided → Medium |
| Changed in cloud-utils: | |
| importance: | Undecided → Medium |
| Changed in cloud-utils (Ubuntu): | |
| importance: | Undecided → Medium |
| summary: |
- overlayroot doesn't work with vanilla kernel + "overlayfs" no longer exists |
| description: | updated |
| Changed in cloud-initramfs-tools: | |
| assignee: | nobody → Scott Moser (smoser) |
| status: | Confirmed → In Progress |
| Scott Moser (smoser) wrote : | #4 |
for some specific information on different ubuntu kernels:
-- latest kernel before 4.8 entered yakkety --
$ uname -r
4.4.0-9136-generic
$ grep overlay /lib/modules/
alias overlayfs overlay
alias fs-overlayfs overlay
alias fs-overlay overlay
$ sudo modprobe -v overlayfs
insmod /lib/modules/
$ lsmod | grep overlay
overlay
$ grep overlay /proc/filesystems
nodev overlayfs
nodev overlay
-- 4.8 kernel in yakkety --
$ uname -r
4.8.0-15-generic
$ grep overlay /lib/modules/
alias fs-overlay overlay
$ modprobe -v overlayfs
modprobe: FATAL: Module overlayfs not found in directory /lib/modules/
$ modprobe -v overlay
insmod /lib/modules/
$ grep overlay /proc/filesystems
nodev overlay
-- 3.13 kernel (trusty GA) --
$ uname -r
3.13.0-96-generic
$ grep overlay /lib/modules/
alias fs-overlayfs overlayfs
$ sudo modprobe -v overlay
modprobe: FATAL: Module overlay not found.
$ sudo modprobe -v overlayfs
insmod /lib/modules/
$ grep overlay /proc/filesystems
nodev overlayfs
| Changed in cloud-initramfs-tools (Ubuntu Xenial): | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| Changed in cloud-utils (Ubuntu Xenial): | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| Changed in cloud-initramfs-tools: | |
| status: | In Progress → Fix Committed |
Hello 宋文武, or anyone else affected,
Accepted cloud-initramfs
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in cloud-initramfs-tools (Ubuntu Yakkety): | |
| status: | Confirmed → Fix Committed |
| tags: | added: verification-needed |
| Shuhao (shuhao) wrote : | #6 |
I can test this too if we build a copy for xenial for arm (raspi3).
| Scott Moser (smoser) wrote : | #7 |
I've verified functional in yakkety in uvt-kvm.
Below 'ussh' is a wrapper arond uvt-kvm
https:/
for reader purposes, it can be assumed that it operates like 'lxc exec'. ie,
ussh name command arguments
executed command and arguments on 'name'.
# make a new system.
name=sm-y1
uvt-kvm create $name release=yakkety
# enable proposed
$ ussh $name sudo sh -c 'echo "deb http://
# install a package
ussh $name sudo apt-get install -qy overlayroot
# show.
$ ussh $name dpkg-query --show overlayroot
overlayroot 0.29ubuntu1
# enable overlayroot without recurse
$ ussh "$name" sh -c 'echo overlayroot=
# reboot
$ ussh $name reboot
# show
$ ussh $name grep overlay /proc/mounts
overlayroot / overlay rw,relatime,
# turn on recurse
$ ussh "$name" sh -c 'echo overlayroot=
# reboot
$ ussh $name reboot
# show /proc/mounts
$ ussh "$name" grep overlay /proc/mounts
overlayroot / overlay rw,relatime,
/media/root-ro/mnt /mnt overlay rw,relatime,
$ ussh $name grep overlay /etc/fstab
# This fstab is in an overlay. The real one can be found at
# sudo overlayroot-chroot
/media/root-ro/ / overlay lowerdir=
LABEL=UEFI /boot/efi vfat defaults 0 0 # overlayroot:
/media/root-ro/mnt /mnt overlay lowerdir=
# show kernel version
$ ussh $name uname -r
4.8.0-17-generic
# boot into normal root
$ ussh sm-y1 sudo sh -c 'overlayroot-chroot rm /etc/overlayroo
| tags: |
added: verification-done removed: verification-needed |
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package cloud-initramfs
---------------
cloud-initramfs
* overlayroot: support 'overlay' filesystem explicitly rather than
relying on ubuntu specific kernel module 'overlayfs'. (LP: #1493188)
-- Scott Moser <email address hidden> Fri, 23 Sep 2016 17:00:37 -0400
| Changed in cloud-initramfs-tools (Ubuntu Yakkety): | |
| status: | Fix Committed → Fix Released |
| Scott Moser (smoser) wrote : | #9 |
fix committed in cloud-utils trunk at revno 303.
| Changed in cloud-utils: | |
| status: | Confirmed → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package cloud-utils - 0.29-0ubuntu4
---------------
cloud-utils (0.29-0ubuntu4) yakkety; urgency=medium
* sync to trunk at revno 303
* mount-image-
than ubuntu specific 'overlayfs' (LP: #1493188)
-- Scott Moser <email address hidden> Tue, 27 Sep 2016 21:20:58 -0400
| Changed in cloud-utils (Ubuntu): | |
| status: | Confirmed → Fix Released |
| Changed in cloud-initramfs-tools: | |
| status: | Fix Committed → Fix Released |
| Changed in cloud-initramfs-tools (Ubuntu Xenial): | |
| status: | Confirmed → In Progress |
| description: | updated |
| Chris Halse Rogers (raof) wrote : | #11 |
Hello 宋文武, or anyone else affected,
Accepted cloud-initramfs
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in cloud-initramfs-tools (Ubuntu Xenial): | |
| status: | In Progress → Fix Committed |
| tags: | removed: verification-done |
| tags: | added: verification-needed |
| Scott Moser (smoser) wrote : | #12 |
I've verified this on xenial using the steps provided in the test case above.
$ uname -r
4.8.0-28-generic
$ dpkg -S /boot/vmlinuz-
linux-image-
$ dpkg-query --show overlayroot
overlayroot 0.27ubuntu1.3
| description: | updated |
| tags: |
added: verification-done removed: verification-needed |
| Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package cloud-initramfs
---------------
cloud-initramfs
* sync with upstream at 0.32ubuntu1 (revno 129)
* overlayroot: fix overlayroot=crypt with newer initramfs-tools
(LP: #1634310)
* overlayroot: support random seed from systemd systemd-
* cloud-initramfs
IPV6 and the new DEVICE6 and net6-DEVICE.conf files. (LP: #1621615)
* overlayroot: support 'overlay' filesystem explicitly rather than
relying on ubuntu specific kernel module 'overlayfs'. (LP: #1493188)
* overlayroot: write debug to /run/initramfs not /dev/.initramfs but
support writing to /dev/.initramfs if that is all there is. (LP: #1485752)
* overlayroot: fix overlayroot if recurse=0 was not provided.
This fuctionality was lost since workdir support was added. (LP: #1619459)
* whitespace cleanup.
-- Scott Moser <email address hidden> Mon, 28 Nov 2016 20:12:51 -0500
| Changed in cloud-initramfs-tools (Ubuntu Xenial): | |
| status: | Fix Committed → Fix Released |
| Robie Basak (racb) wrote : Update Released | #14 |
The verification of the Stable Release Update for cloud-initramfs
| Scott Moser (smoser) wrote : | #15 |
this fix is present in cloud-utils 0.30
| Changed in cloud-utils: | |
| status: | Fix Committed → Fix Released |
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.