overlayfs: allow with shiftfs as underlay
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| linux (Ubuntu) |
Undecided
|
Christian Brauner | ||
| Disco |
Undecided
|
Christian Brauner | ||
| Eoan |
Undecided
|
Christian Brauner |
Bug Description
SRU Justification
Impact: Currently it is not possible to use overlayfs on top of shiftfs. This means Docker inside of LXD cannot make user of the overlay2 graph driver which is blocking users such as Travis from making use of it efficiently.
Regression Potential: Limited to shiftfs and overlayfs on top of shiftfs. Overlayfs does prevent "remote" filesystems such as ceph, nfs, etc. from being used as the underlay. With this patch shiftfs however can be used as an underlay and we special case it as a suitable filesystem to be used under overlayfs. I verified that the patch does not lead to regression on overlayfs workloads that do not make use of shiftfs as underlay. Additionally, I tested Docker with the overlay2 graphdriver on top of shiftfs. This also has not lead to any regressions.
Test case: Building a kernel with the patch:
sudo snap install lxd
sudo lxd init
sudo lxc launch images:
sudo lxc config set b1 security.nesting true
sudo lxc restart --force b1
sudo lxc shell b1
sudo apt-get install \
apt-
ca-certificates \
curl \
gnupg-agent \
software-
curl -fsSL https:/
curl -fsSL get.docker.com | CHANNEL=test sh
sudo add-apt-repository \
"deb [arch=amd64] https:/
$(lsb_release -cs) \
stable"
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
sudo systemctl stop docker
cat <<EOF /etc/docker/
{
"storage-driver": "overlay2"
}
EOF
sudo systemctl start docker
docker run -it ubuntu bash
and observe that it works.
The old approach we used in https:/
Target kernels: All LTS kernels that do support shiftfs, if possible.
Changed in linux (Ubuntu): | |
assignee: | nobody → Christian Brauner (cbrauner) |
status: | New → In Progress |
Changed in linux (Ubuntu Disco): | |
status: | New → In Progress |
assignee: | nobody → Christian Brauner (cbrauner) |
Changed in linux (Ubuntu Disco): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-disco removed: verification-needed-disco |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: verification-needed-eoan |
tags: |
added: verification-done-eoan removed: verification-needed-eoan |
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (linux-gcp-5.3/5.3.0-1008.9~18.04.1) | #3 |
All autopkgtests for the newly accepted linux-gcp-5.3 (5.3.0-
The following regressions have been reported in tests triggered by the package:
linux-gcp-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package linux - 5.3.0-22.24
---------------
linux (5.3.0-22.24) eoan; urgency=medium
* [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout
setting (LP: #1849682)
- Revert "md/raid0: avoid RAID0 data corruption due to layout confusion."
* refcount underflow and type confusion in shiftfs (LP: #1850867) // CVE-2019-15793
- SAUCE: shiftfs: Correct id translation for lower fs operations
- SAUCE: shiftfs: prevent type confusion
- SAUCE: shiftfs: Fix refcount underflow in btrfs ioctl handling
* CVE-2018-12207
- kvm: x86, powerpc: do not allow clearing largepages debugfs entry
- SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
active
- SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
- SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
- SAUCE: kvm: Add helper function for creating VM worker threads
- SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
- SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
- SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT
* CVE-2019-11135
- x86/msr: Add the IA32_TSX_CTRL MSR
- x86/cpu: Add a helper function x86_read_
- x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
- x86/speculation
- x86/speculation
- kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
- x86/tsx: Add "auto" option to the tsx= cmdline parameter
- x86/speculation
- x86/tsx: Add config options to set tsx=on|off|auto
- [Config] Disable TSX by default when possible
* CVE-2019-0154
- SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs
- SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA
* CVE-2019-0155
- SAUCE: drm/i915: Rename gen7 cmdparser tables
- SAUCE: drm/i915: Disable Secure Batches for gen6+
- SAUCE: drm/i915: Remove Master tables from cmdparser
- SAUCE: drm/i915: Add support for mandatory cmdparsing
- SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
- SAUCE: drm/i915: Allow parsing of unsized batches
- SAUCE: drm/i915: Add gen9 BCS cmdparsing
- SAUCE: drm/i915/cmdparser: Use explicit goto for error paths
- SAUCE: drm/i915/cmdparser: Add support for backward jumps
- SAUCE: drm/i915/cmdparser: Ignore Length operands during command matching
linux (5.3.0-21.22) eoan; urgency=medium
* eoan/linux: 5.3.0-21.22 -proposed tracker (LP: #1850486)
* Fix signing of staging modules in eoan (LP: #1850234)
- [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink
linux (5.3.0-20.21) eoan; urgency=medium
* eoan/linux: 5.3.0-20.21 -proposed tracker (LP: #1849064)
* eoan: alsa/sof: Enable SOF_HDA link and codec (LP: #1848490)
- [Config] Enable SOF_HDA link and codec
* Eoan update: 5.3.7 upstream stable release (LP: #1848750)
- panic: ensure preemption is disabled during panic()
- [Config] updateconfigs for USB_RIO500
- USB: rio500: Remove Rio 500 kernel driver
...
Changed in linux (Ubuntu Eoan): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package linux - 5.0.0-35.38
---------------
linux (5.0.0-35.38) disco; urgency=medium
* [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout
setting (LP: #1849682)
- SAUCE: Fix revert "md/raid0: avoid RAID0 data corruption due to layout
confusion."
* refcount underflow and type confusion in shiftfs (LP: #1850867) // CVE-2019-15793
- SAUCE: shiftfs: Correct id translation for lower fs operations
- SAUCE: shiftfs: prevent type confusion
- SAUCE: shiftfs: Fix refcount underflow in btrfs ioctl handling
* CVE-2018-12207
- kvm: Convert kvm_lock to a mutex
- kvm: x86: Do not release the page inside mmu_set_spte()
- KVM: x86: make FNAME(fetch) and __direct_map more similar
- KVM: x86: remove now unneeded hugepage gfn adjustment
- KVM: x86: change kvm_mmu_
- KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
- kvm: x86, powerpc: do not allow clearing largepages debugfs entry
- SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
active
- SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
- SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
- SAUCE: kvm: Add helper function for creating VM worker threads
- SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
- SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
- SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT
* CVE-2019-11135
- KVM: x86: use Intel speculation bugs and features as derived in generic x86
code
- x86/msr: Add the IA32_TSX_CTRL MSR
- x86/cpu: Add a helper function x86_read_
- x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
- x86/speculation
- x86/speculation
- kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
- x86/tsx: Add "auto" option to the tsx= cmdline parameter
- x86/speculation
- x86/tsx: Add config options to set tsx=on|off|auto
- SAUCE: x86/speculation
- [Config] Disable TSX by default when possible
* CVE-2019-0154
- SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs
- SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA
* CVE-2019-0155
- SAUCE: drm/i915: Rename gen7 cmdparser tables
- SAUCE: drm/i915: Disable Secure Batches for gen6+
- SAUCE: drm/i915: Remove Master tables from cmdparser
- SAUCE: drm/i915: Add support for mandatory cmdparsing
- SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
- SAUCE: drm/i915: Allow parsing of unsized batches
- SAUCE: drm/i915: Add gen9 BCS cmdparsing
- SAUCE: drm/i915/cmdparser: Use explicit goto for error paths
- SAUCE: drm/i915/cmdparser: Add support for backward jumps
- SAUCE: drm/i915/cmdparser: Ignore Length operands during command matching
linux (5.0.0-34.36) disco; urgency=medium
* disco/linux: <version to be filled> -proposed tracker (LP: #1850574)
* [REGRESSION] md/raid0: cannot as...
Changed in linux (Ubuntu Disco): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package linux - 5.3.0-24.26
---------------
linux (5.3.0-24.26) eoan; urgency=medium
* eoan/linux: 5.3.0-24.26 -proposed tracker (LP: #1852232)
* Eoan update: 5.3.9 upstream stable release (LP: #1851550)
- io_uring: fix up O_NONBLOCK handling for sockets
- dm snapshot: introduce account_
- dm snapshot: rework COW throttling to fix deadlock
- Btrfs: fix inode cache block reserve leak on failure to allocate data space
- btrfs: qgroup: Always free PREALLOC META reserve in
btrfs_
- iio: adc: meson_saradc: Fix memory allocation order
- iio: fix center temperature of bmc150-accel-core
- libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
- perf tests: Avoid raising SEGV using an obvious NULL dereference
- perf map: Fix overlapped map handling
- perf script brstackinsn: Fix recovery from LBR/binary mismatch
- perf jevents: Fix period for Intel fixed counters
- perf tools: Propagate get_cpuid() error
- perf annotate: Propagate perf_env__arch() error
- perf annotate: Fix the signedness of failure returns
- perf annotate: Propagate the symbol__annotate() error return
- perf annotate: Fix arch specific ->init() failure errors
- perf annotate: Return appropriate error code for allocation failures
- perf annotate: Don't return -1 for error when doing BPF disassembly
- staging: rtl8188eu: fix null dereference when kzalloc fails
- RDMA/siw: Fix serialization issue in write_space()
- RDMA/hfi1: Prevent memory leak in sdma_init
- RDMA/iw_cxgb4: fix SRQ access from dump_qp()
- RDMA/iwcm: Fix a lock inversion issue
- HID: hyperv: Use in-place iterator API in the channel callback
- kselftest: exclude failed TARGETS from runlist
- selftests/
- nfs: Fix nfsi->nrequests count error on nfs_inode_
- arm64: cpufeature: Effectively expose FRINT capability to userspace
- arm64: Fix incorrect irqflag restore for priority masking for compat
- arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
- tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
- tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()'
- serial/sifive: select SERIAL_EARLYCON
- tty: n_hdlc: fix build on SPARC
- misc: fastrpc: prevent memory leak in fastrpc_
- RDMA/core: Fix an error handling path in 'res_get_
- RDMA/cm: Fix memory leak in cm_add/remove_one
- RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path
- RDMA/mlx5: Do not allow rereg of a ODP MR
- RDMA/mlx5: Order num_pending_
- RDMA/mlx5: Add missing synchronize_srcu() for MW cases
- gpio: max77620: Use correct unit for debounce times
- fs: cifs: mute -Wunused-
- arm64: vdso32: Fix broken compat vDSO build warnings
- arm64: vdso32: Detect binutils support for dmb ishld
- serial: mctrl_gpio: Check for NULL pointer
- serial: 8250_...
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- disco' to 'verification- done-disco' . If the problem still exists, change the tag 'verification- needed- disco' to 'verification- failed- disco'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!