LXD 4.2 broken on linux-kvm due to missing VLAN filtering

Bug #1882955 reported by Stéphane Graber
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux-kvm (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Unassigned
Bionic
Medium
Unassigned
Eoan
Medium
Unassigned
Focal
Medium
Unassigned

Bug Description

[Description]

Some VLAN options (BRIDGE_VLAN_FILTERING, and its dependencies VLAN_8021Q*) were in a different state in Focal/kvm compared to Focal/generic: LXD now depends on BRIDGE_VLAN_FILTERING and due to this discrepancy it fails to work on the Focal/kvm kernel: fix it by aligning the config with Focal/generic

[Fix]

Apply the attached config patch

[Regression potential]

Low, just some config changes already present in generic.

---
This is another case of linux-kvm having unexplained differences compared to linux-generic in areas that aren't related to hardware drivers (see other bug we filed for missing nft).

This time, CPC is reporting that LXD no longer works on linux-kvm as we now set vlan filtering on our bridges to prevent containers from escaping firewalling through custom vlan tags.

This relies on CONFIG_BRIDGE_VLAN_FILTERING which is a built-in on the generic kernel but is apparently missing on linux-kvm (I don't have any system running that kernel to confirm its config, but the behavior certainly matches that).

We need this fixed in focal and groovy.

Changed in linux-kvm (Ubuntu):
status: New → Triaged
tags: added: id-5ee11405ec50180f6deea614
Revision history for this message
Philip Roche (philroche) wrote :

CPC are seeing this issue in _all_ minimal cloud images testing with LXD snap version 4.2 or greater. This blocks promotion of all minimal cloud download images and blocks build and publication of both daily and release cloud images.

Revision history for this message
Paolo Pisati (p-pisati) wrote :
description: updated
tags: added: patch
Stefan Bader (smb)
Changed in linux-kvm (Ubuntu Focal):
importance: Undecided → Low
status: New → In Progress
importance: Low → Medium
Changed in linux-kvm (Ubuntu Eoan):
importance: Undecided → Medium
status: New → Triaged
Changed in linux-kvm (Ubuntu Bionic):
status: New → Triaged
Changed in linux-kvm (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Medium
Changed in linux-kvm (Ubuntu Bionic):
importance: Undecided → Medium
Changed in linux-kvm (Ubuntu):
status: Triaged → Invalid
Stefan Bader (smb)
Changed in linux-kvm (Ubuntu Focal):
status: In Progress → Fix Committed
Changed in linux-kvm (Ubuntu Eoan):
status: Triaged → Fix Committed
Changed in linux-kvm (Ubuntu Bionic):
status: Triaged → Fix Committed
Changed in linux-kvm (Ubuntu Xenial):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (30.5 KiB)

This bug was fixed in the package linux-kvm - 5.4.0-1018.18

---------------
linux-kvm (5.4.0-1018.18) focal; urgency=medium

  * focal/linux-kvm: 5.4.0-1018.18 -proposed tracker (LP: #1885099)

  * LXD 4.2 broken on linux-kvm due to missing VLAN filtering (LP: #1882955)
    - [Config] kvm: VLAN_8021Q=m && BRIDGE_VLAN_FILTERING=y

  * Make linux-kvm bootable in LXD VMs (LP: #1873809)
    - [Config] kvm: Match ramdisk config with master
    - [Config] kvm: Build-in EFI framebuffer

linux-kvm (5.4.0-1017.17) focal; urgency=medium

  * focal/linux-kvm: 5.4.0-1017.17 -proposed tracker (LP: #1883517)

  * Make linux-kvm bootable in LXD VMs (LP: #1873809)
    - [Packaging] Start to sign the KVM kernel

linux-kvm (5.4.0-1016.16) focal; urgency=medium

  * focal/linux-kvm: 5.4.0-1016.16 -proposed tracker (LP: #1882691)

  * Focal update: v5.4.42 upstream stable release (LP: #1879759)
    - [Config] kvm: Record CC_HAS_WARN_MAYBE_UNINITIALIZED drop

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  [ Ubuntu: 5.4.0-38.42 ]

  * CVE-2020-0543
    - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when
      not supported
  * Realtek 8723DE [10ec:d723] subsystem [10ec:d738] disconnects unsolicitedly
    when Bluetooth is paired: Reason: 23=IEEE8021X_FAILED (LP: #1878147)
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: Move driver IQK to set channel before
      association for 11N chip"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: fix rate for a while after being
      connected"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: No retry and report for auth and assoc"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: 8723d: Add coex support"
    - rtw88: add a debugfs entry to dump coex's info
    - rtw88: add a debugfs entry to enable/disable coex mechanism
    - rtw88: 8723d: Add coex support
    - SAUCE: rtw88: coex: 8723d: set antanna control owner
    - SAUCE: rtw88: coex: 8723d: handle BT inquiry cases
    - SAUCE: rtw88: fix EAPOL 4-way failure by finish IQK earlier
  * CPU stress test fails with focal kernel (LP: #1867900)
    - [Config] Disable hisi_sec2 temporarily
  * Enforce all config annotations (LP: #1879327)
    - [Config]: do not enforce CONFIG_VERSION_SIGNATURE
    - [Config]: prepare to enforce all
    - [Config]: enforce all config options
  * Focal update: v5.4.44 upstream stable release (LP: #1881927)
    - ax25: fix setsockopt(SO_BINDTODEVICE)
    - dpaa_eth: fix usage as DSA master, try 3
    - net: don't return invalid table id error when we fall back to PF_UNSPEC
    - net: dsa: mt7530: fix roaming from DSA user ports
    - net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend
    - __netif_receive_skb_core: pass skb by reference
    - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
    - net: ipip: fix wrong address family in init error path
    - net/mlx5: Add command entry handling completion
    - net: mvpp2: fix RX hashing for non-10G ports
    - net: nlmsg_cancel() if put fails for nhmsg
    - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
    - net: revert "net: get rid of an signed integer overflow in
      ip_idents_reserve()"
    - net sched: f...

Changed in linux-kvm (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-kvm - 4.15.0-1071.72

---------------
linux-kvm (4.15.0-1071.72) bionic; urgency=medium

  * bionic/linux-kvm: 4.15.0-1071.72 -proposed tracker (LP: #1887041)

  [ Ubuntu: 4.15.0-112.113 ]

  * bionic/linux: 4.15.0-112.113 -proposed tracker (LP: #1887048)
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * CVE-2020-11935
    - SAUCE: aufs: do not call i_readcount_inc()
    - SAUCE: aufs: bugfix, IMA i_readcount
  * CVE-2020-10757
    - mm: Fix mremap not considering huge pmd devmap
  * Update lockdown patches (LP: #1884159)
    - efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
    - efi: Restrict efivar_ssdt_load when the kernel is locked down
    - powerpc/xmon: add read-only mode
    - powerpc/xmon: Restrict when kernel is locked down
    - [Config] CONFIG_XMON_DEFAULT_RO_MODE=y
    - SAUCE: acpi: disallow loading configfs acpi tables when locked down
  * seccomp_bpf fails on powerpc (LP: #1885757)
    - SAUCE: selftests/seccomp: fix ptrace tests on powerpc
  * Introduce the new NVIDIA 418-server and 440-server series, and update the
    current NVIDIA drivers (LP: #1881137)
    - [packaging] add signed modules for the 418-server and the 440-server
      flavours

  [ Ubuntu: 4.15.0-111.112 ]

  * bionic/linux: 4.15.0-111.112 -proposed tracker (LP: #1886999)
  * Bionic update: upstream stable patchset 2020-05-07 (LP: #1877461)
    - SAUCE: mlxsw: Add missmerged ERR_PTR hunk
  * linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
    - SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux-kvm (4.15.0-1070.71) bionic; urgency=medium

  * bionic/linux-kvm: 4.15.0-1070.71 -proposed tracker (LP: #1885807)

  * Build and ship a signed wireguard.ko (LP: #1861284)
    - [Config] kvm: wireguard -- enable on all architectures

  * LXD 4.2 broken on linux-kvm due to missing VLAN filtering (LP: #1882955)
    - [Config] VLAN_8021Q=m && BRIDGE_VLAN_FILTERING=y

  [ Ubuntu: 4.15.0-110.111 ]

  * bionic/linux: 4.15.0-110.111 -proposed tracker (LP: #1885814)
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * CVE-2020-11935
    - SAUCE: aufs: do not call i_readcount_inc()
    - SAUCE: aufs: bugfix, IMA i_readcount
  * CVE-2020-10757
    - mm: Fix mremap not considering huge pmd devmap
  * Update lockdown patches (LP: #1884159)
    - efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
    - efi: Restrict efivar_ssdt_load when the kernel is locked down
    - powerpc/xmon: add read-only mode
    - powerpc/xmon: Restrict when kernel is locked down
    - [Config] CONFIG_XMON_DEFAULT_RO_MODE=y
    - SAUCE: acpi: disallow loading configfs acpi tables when locked down
  * seccomp_bpf fails on powerpc (LP: #1885757)
    - SAUCE: selftests/seccomp: fix ptrace tests on powerpc
  * Introduce the new NVIDIA 418-server and 440-server series, and update the
    current NVIDIA drivers (LP: #1881137)
    - [packaging] add signed modules for the 418-server and the 440-server
      flavours

 -- Khalid Elmously <email address hidden> Thu, 09 Jul 2020 22:13:34 -0400

Changed in linux-kvm (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (19.7 KiB)

This bug was fixed in the package linux-kvm - 4.4.0-1077.84

---------------
linux-kvm (4.4.0-1077.84) xenial; urgency=medium

  * xenial/linux-kvm: 4.4.0-1077.84 -proposed tracker (LP: #1885506)

  * LXD 4.2 broken on linux-kvm due to missing VLAN filtering (LP: #1882955)
    - [Config] VLAN_8021Q=m && BRIDGE_VLAN_FILTERING=y

  [ Ubuntu: 4.4.0-186.216 ]

  * xenial/linux: 4.4.0-186.216 -proposed tracker (LP: #1885514)
  * Xenial update: v4.4.228 upstream stable release (LP: #1884564)
    - ipv6: fix IPV6_ADDRFORM operation logic
    - vxlan: Avoid infinite loop when suppressing NS messages with invalid options
    - scsi: return correct blkprep status code in case scsi_init_io() fails.
    - net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well.
    - pwm: fsl-ftm: Use flat regmap cache
    - ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook
    - sched/fair: Don't NUMA balance for kthreads
    - ath9k_htc: Silence undersized packet warnings
    - x86_64: Fix jiffies ODR violation
    - x86/speculation: Prevent rogue cross-process SSBD shutdown
    - x86/reboot/quirks: Add MacBook6,1 reboot quirk
    - efi/efivars: Add missing kobject_put() in sysfs entry creation error path
    - ALSA: es1688: Add the missed snd_card_free()
    - ALSA: usb-audio: Fix inconsistent card PM state after resume
    - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile()
    - ACPI: PM: Avoid using power resources if there are none for D0
    - cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages
    - nilfs2: fix null pointer dereference at nilfs_segctor_do_construct()
    - spi: bcm2835aux: Fix controller unregister order
    - ALSA: pcm: disallow linking stream to itself
    - x86/speculation: Change misspelled STIPB to STIBP
    - x86/speculation: Add support for STIBP always-on preferred mode
    - x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced
      IBRS.
    - x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.
    - spi: dw: fix possible race condition
    - spi: dw: Fix controller unregister order
    - spi: No need to assign dummy value in spi_unregister_controller()
    - spi: Fix controller unregister order
    - spi: pxa2xx: Fix controller unregister order
    - spi: bcm2835: Fix controller unregister order
    - ovl: initialize error in ovl_copy_xattr
    - proc: Use new_inode not new_inode_pseudo
    - video: fbdev: w100fb: Fix a potential double free.
    - KVM: nSVM: leave ASID aside in copy_vmcb_control_area
    - KVM: nVMX: Consult only the "basic" exit reason when routing nested exit
    - KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
    - ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
    - ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
    - ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb
    - ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
    - Smack: slab-out-of-bounds in vsscanf
    - mm/slub: fix a memory leak in sysfs_slab_add()
    - fat: don't allow to mount if the FAT length == 0
    - can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices
    - spi: dw: Zero DMA Tx and R...

Changed in linux-kvm (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (63.5 KiB)

This bug was fixed in the package linux-kvm - 5.3.0-1026.28

---------------
linux-kvm (5.3.0-1026.28) eoan; urgency=medium

  * eoan/linux-kvm: 5.3.0-1026.28 -proposed tracker (LP: #1887084)

  [ Ubuntu: 5.3.0-64.58 ]

  * eoan/linux: 5.3.0-64.58 -proposed tracker (LP: #1887088)
  * linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
    - SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux-kvm (5.3.0-1025.27) eoan; urgency=medium

  * eoan/linux-kvm: 5.3.0-1025.27 -proposed tracker (LP: #1885490)

  * LXD 4.2 broken on linux-kvm due to missing VLAN filtering (LP: #1882955)
    - [Config] VLAN_8021Q=m && BRIDGE_VLAN_FILTERING=y

  [ Ubuntu: 5.3.0-63.57 ]

  * eoan/linux: 5.3.0-63.57 -proposed tracker (LP: #1885495)
  * seccomp_bpf fails on powerpc (LP: #1885757)
    - SAUCE: selftests/seccomp: fix ptrace tests on powerpc
  * The thread level parallelism would be a bottleneck when searching for the
    shared pmd by using hugetlbfs (LP: #1882039)
    - hugetlbfs: take read_lock on i_mmap for PMD sharing
  * Eoan update: upstream stable patchset 2020-06-30 (LP: #1885775)
    - ipv6: fix IPV6_ADDRFORM operation logic
    - net_failover: fixed rollback in net_failover_open()
    - bridge: Avoid infinite loop when suppressing NS messages with invalid
      options
    - vxlan: Avoid infinite loop when suppressing NS messages with invalid options
    - tun: correct header offsets in napi frags mode
    - Input: mms114 - fix handling of mms345l
    - ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook
    - sched/fair: Don't NUMA balance for kthreads
    - Input: synaptics - add a second working PNP_ID for Lenovo T470s
    - drivers/net/ibmvnic: Update VNIC protocol version reporting
    - powerpc/xive: Clear the page tables for the ESB IO mapping
    - ath9k_htc: Silence undersized packet warnings
    - RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated
    - x86/cpu/amd: Make erratum #1054 a legacy erratum
    - perf probe: Accept the instance number of kretprobe event
    - mm: add kvfree_sensitive() for freeing sensitive data objects
    - aio: fix async fsync creds
    - x86_64: Fix jiffies ODR violation
    - x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs
    - x86/speculation: Prevent rogue cross-process SSBD shutdown
    - x86/reboot/quirks: Add MacBook6,1 reboot quirk
    - efi/efivars: Add missing kobject_put() in sysfs entry creation error path
    - ALSA: es1688: Add the missed snd_card_free()
    - ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines
    - ALSA: usb-audio: Fix inconsistent card PM state after resume
    - ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt
      Dock
    - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile()
    - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe()
    - ACPI: GED: add support for _Exx / _Lxx handler methods
    - ACPI: PM: Avoid using power resources if there are none for D0
    - nilfs2: fix null pointer dereference at nilfs_segctor_do_construct()
    - spi: dw: Fix controller unregister order
    - spi: bcm2835aux: Fix controller...

Changed in linux-kvm (Ubuntu Eoan):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (31.6 KiB)

This bug was fixed in the package linux-kvm - 5.4.0-1020.20

---------------
linux-kvm (5.4.0-1020.20) focal; urgency=medium

  * focal/linux-kvm: 5.4.0-1020.20 -proposed tracker (LP: #1887063)

  [ Ubuntu: 5.4.0-42.46 ]

  * focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069)
  * linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
    - SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux-kvm (5.4.0-1019.19) focal; urgency=medium

  * focal/linux-kvm: 5.4.0-1019.19 -proposed tracker (LP: #1885848)

  [ Ubuntu: 5.4.0-41.45 ]

  * focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855)
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * CVE-2019-19642
    - kernel/relay.c: handle alloc_percpu returning NULL in relay_open
  * CVE-2019-16089
    - SAUCE: nbd_genl_status: null check for nla_nest_start
  * CVE-2020-11935
    - aufs: do not call i_readcount_inc()
  * ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
    kernel (LP: #1826848)
    - selftests: net: ip_defrag: ignore EPERM
  * Update lockdown patches (LP: #1884159)
    - SAUCE: acpi: disallow loading configfs acpi tables when locked down
  * seccomp_bpf fails on powerpc (LP: #1885757)
    - SAUCE: selftests/seccomp: fix ptrace tests on powerpc
  * Introduce the new NVIDIA 418-server and 440-server series, and update the
    current NVIDIA drivers (LP: #1881137)
    - [packaging] add signed modules for the 418-server and the 440-server
      flavours

  [ Ubuntu: 5.4.0-40.44 ]

  * linux-oem-5.6-tools-common and -tools-host should be dropped (LP: #1881120)
    - [Packaging] Add Conflicts/Replaces to remove linux-oem-5.6-tools-common and
      -tools-host
  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
  * Slow send speed with Intel I219-V on Ubuntu 18.04.1 (LP: #1802691)
    - e1000e: Disable TSO for buffer overrun workaround
  * CVE-2020-0543
    - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when
      not supported
  * Realtek 8723DE [10ec:d723] subsystem [10ec:d738] disconnects unsolicitedly
    when Bluetooth is paired: Reason: 23=IEEE8021X_FAILED (LP: #1878147)
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: Move driver IQK to set channel before
      association for 11N chip"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: fix rate for a while after being
      connected"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: No retry and report for auth and assoc"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: 8723d: Add coex support"
    - rtw88: add a debugfs entry to dump coex's info
    - rtw88: add a debugfs entry to enable/disable coex mechanism
    - rtw88: 8723d: Add coex support
    - SAUCE: rtw88: coex: 8723d: set antanna control owner
    - SAUCE: rtw88: coex: 8723d: handle BT inquiry cases
    - SAUCE: rtw88: fix EAPOL 4-way failure by finish IQK earlier
  * CPU stress test fails with focal kernel (LP: #1867900)
    - [Config] Disable hisi_sec2 temporarily
  * Enforce all config annotations (LP: #1879327)
    - [Config]: do not enforce CONFIG_VERSION_SIGNATURE
    - [Config]: prepare to enforce all
    - [Config]: enforce all config opt...

Changed in linux-kvm (Ubuntu):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers