Missing configuration for LXC containers on omap4

Bug #787749 reported by Stéphane Graber on 2011-05-24
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-ti-omap4 (Ubuntu)
Undecided
Andy Whitcroft
Natty
Undecided
Paolo Pisati

Bug Description

SRU Justification:

Impact: without these two options, lcx won't work on omap4.

Testcase:

flag@omap:~$ lxc-checkconfig

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing # CONFIG_USER_NS
Network namespace: enabled
Multiple /dev/pts instances: missing # DEVPTS_MULTIPLE_INSTANCES

--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: missing
enabled

Fix: The attached patch enables the necessary options.

----------------------------------------------------------------------------------------------------------------------------------------

The following configuration required for LXC is currently missing for linux-ti-omap4:
 - CONFIG_USER_NS
 - DEVPTS_MULTIPLE_INSTANCES
 - CONFIG_SECURITY_FILE_CAPABILITIES

These are at the least the obvious ones as reported by "lxc-checkconfig".

Below is the output on ARM and on x86:

stgraber@castiana:~/Desktop$ CONFIG=/home/stgraber/.cache/.fr-2ObRP4/boot/config-2.6.38-1209-omap4 lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing CONFIG_USER_NS
Network namespace: enabled
Multiple /dev/pts instances: missing DEVPTS_MULTIPLE_INSTANCES

--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: missing CONFIG_SECURITY_FILE_CAPABILITIES
enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

stgraber@castiana:~/Desktop$ lxc-checkconfig
Kernel config /proc/config.gz not found, looking in other places...
Found kernel config file /boot/config-2.6.39-2-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Stéphane Graber (stgraber) wrote :

Note that I added the missing config next to each "missing" by looking at lxc-checkconfig's code.

Paolo Pisati (p-pisati) on 2011-05-25
Changed in linux-ti-omap4 (Ubuntu):
assignee: nobody → Paolo Pisati (p-pisati)
Tim Gardner (timg-tpi) on 2011-06-07
Changed in linux-ti-omap4 (Ubuntu):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Natty):
status: New → Fix Committed
assignee: nobody → Paolo Pisati (p-pisati)
Changed in linux-ti-omap4 (Ubuntu):
assignee: Paolo Pisati (p-pisati) → nobody
Paolo Pisati (p-pisati) wrote :
description: updated
Paolo Pisati (p-pisati) wrote :

with regards to the last option - CONFIG_SECURITY_FILE_CAPABILITIES - that has been deprecated since 2.6.33, and userland should be patched appropriately:

http://<email address hidden>/msg00123.html

Andy Whitcroft (apw) on 2011-08-09
Changed in linux-ti-omap4 (Ubuntu):
status: Invalid → Fix Released
Andy Whitcroft (apw) on 2011-08-10
Changed in linux-ti-omap4 (Ubuntu):
status: Fix Released → Fix Committed
assignee: nobody → Andy Whitcroft (apw)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-ti-omap4 - 3.0.0-1200.3

---------------
linux-ti-omap4 (3.0.0-1200.3) oneiric; urgency=low

  [ Andy Whitcroft ]

  * [Config] enable CONFIG_ISCSI_BOOT_SYSFS=m & CONFIG_ISCSI_TCP=m
    - LP: #820349
  * [Config] Turn on CONFIG_USER_NS and DEVPTS_MULTIPLE_INSTANCES.
    - LP: #787749

  [ John Johansen ]

  * [Config] Enable missing IPv6 options

  [ Tim Gardner ]

  * [Config] Enabled some IPSEC config options
    - LP: #818548
 -- Andy Whitcroft <email address hidden> Wed, 10 Aug 2011 21:33:29 +0100

Changed in linux-ti-omap4 (Ubuntu):
status: Fix Committed → Fix Released
Herton R. Krzesinski (herton) wrote :

This bug is awaiting verification that the linux-ti-omap4 2.6.38-1209.15 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-natty' to 'verification-done-natty'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-natty
Herton R. Krzesinski (herton) wrote :

Everything looks ok with 2.6.38-1209.15 release:

======================================
$ wget 'http://ports.ubuntu.com/pool/main/l/linux-ti-omap4/linux-image-2.6.38-1208-omap4_2.6.38-1208.11_armel.deb'
..
$ dpkg-deb -x linux-image-2.6.38-1208-omap4_2.6.38-1208.11_armel.deb .
$ CONFIG=./boot/config-2.6.38-1208-omap4 lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: missing

--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: missing
enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

$ wget 'http://ports.ubuntu.com/pool/main/l/linux-ti-omap4/linux-image-2.6.38-1209-omap4_2.6.38-1209.15_armel.deb'
...
$ dpkg-deb -x linux-image-2.6.38-1209-omap4_2.6.38-1209.15_armel.deb .
$ CONFIG=./boot/config-2.6.38-1209-omap4 lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: missing
enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
======================================

Just ignoring the File capabilities: missing though, due to what was stated in comment #3

Marking as verified.

tags: added: verification-done-natty
removed: verification-needed-natty
Launchpad Janitor (janitor) wrote :
Download full text (38.0 KiB)

This bug was fixed in the package linux-ti-omap4 - 2.6.38-1209.15

---------------
linux-ti-omap4 (2.6.38-1209.15) natty-proposed; urgency=low

  * Release tracking bug
    - LP: #837761

  [ Paolo Pisati ]

  * [Config] Turn on CONFIG_USER_NS and DEVPTS_MULTIPLE_INSTANCES.
    - LP: #787749

  [ Tim Gardner ]

  * [Config] Add enic/fnic to nic-modules udeb, CVE-2011-1020
    - LP: #801610

  [ Upstream Kernel Changes ]

  * mpt2sas: prevent heap overflows and unchecked reads
    - LP: #780546
  * agp: fix arbitrary kernel memory writes
    - LP: #775809
  * can: add missing socket check in can/raw release
    - LP: #780546
  * agp: fix OOM and buffer overflow
    - LP: #775809
  * bonding: Incorrect TX queue offset, CVE-2011-1581
    - LP: #792312
    - CVE-2011-1581
  * fs/partitions/efi.c: corrupted GUID partition tables can cause kernel
    oops
    - LP: #795418
    - CVE-2011-1577
  * can: Add missing socket check in can/bcm release.
    - LP: #796502
    - CVE-2011-1598
  * USB: ehci: remove structure packing from ehci_def
    - LP: #791552
  * taskstats: don't allow duplicate entries in listener mode,
    CVE-2011-2484
    - LP: #806390
    - CVE-2011-2484
  * ext4: init timer earlier to avoid a kernel panic in __save_error_info,
    CVE-2011-2493
    - LP: #806929
    - CVE-2011-2493
  * dccp: handle invalid feature options length, CVE-2011-1770
    - LP: #806375
    - CVE-2011-1770
  * pagemap: close races with suid execve, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * report errors in /proc/*/*map* sanely, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * close race in /proc/*/environ, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * auxv: require the target to be tracable (or yourself), CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * deal with races in /proc/*/{syscall, stack, personality}, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * rose: Add length checks to CALL_REQUEST parsing, CVE-2011-1493
    - LP: #816550
    - CVE-2011-1493
  * GFS2: make sure fallocate bytes is a multiple of blksize, CVE-2011-2689
    - LP: #819572
    - CVE-2011-2689
  * Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
    - LP: #819569
    - CVE-2011-2492
  * Add mount option to check uid of device being mounted = expect uid,
    CVE-2011-1833
    - LP: #732628
    - CVE-2011-1833
  * ipv6: make fragment identifications less predictable, CVE-2011-2699
    - LP: #827685
    - CVE-2011-2699
  * perf: Fix software event overflow, CVE-2011-2918
    - LP: #834121
    - CVE-2011-2918
  * proc: fix oops on invalid /proc/<pid>/maps access, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020

linux-ti-omap4 (2.6.38-1209.13) natty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #772381

  [ Brad Figg ]

  * Ubuntu-2.6.38-9.43

  [ Bryan Wu ]

  * merge Ubuntu-2.6.38-9.43
  * cherry-pick 6 patches from u2 of 'for-ubuntu' branch
  * [Config] Sync up configs for 2.6.38.4

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: Revert "x86, hibernate: Initialize mmu_cr4_features during boot"
    - LP: #764758

  [ Leann Ogasawara ]

  * [Config] updateconfigs for 2.6.38.4

  [ Paolo Pisati ]

  * [Conf...

Changed in linux-ti-omap4 (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers