Comment 2 for bug 1873074

Security Impact Surface:
---

For Kubernetes itself, this is less likely nowadays with
the move from aufs to overlayfs in Docker (which used to
be biggest driver for aufs AFAIK), and additionally, new
versions have kube-proxy call iptables-save/restore less.

The versions typically used in the Xenial timeframe (and
which may still be around) still have both (aufs default,
and kube-proxy calling iptables-save more frequently.)

Detailed version numbers for Docker/Kubernetes for that
information can be provided if needed.

...

For the root cause (i.e., independently of Kubernetes),

This affects any distribution which ships aufs filesystem
AND enables CONFIG_IMA (sufficient until the 5.3 kernel)
OR enables CONFIG_FILE_LOCKING (new with the 5.3 kernel);

(either CONFIG option enables i_readcount/that BUG_ON())

Ubuntu:
--

This is true for all supported Ubuntu releases (T/X/B/E/F),
which ships aufs in the kernel packages as a kernel module.

Debian:
--

This affects Debian too, which ships aufs-dkms to build it.

This is true for Debian Stretch (oldstable) with 4.9 kernel.

This is not, for Debian Buster (stable) with the 4.19 kernel
(as CONFIG_IMA was disabled on 4.16 in Debian, g82596c5122fe)

BUT buster-backports has 5.4 kernel; so if aufs-dkms goes on
to support it, the problem would be exposed on Debian Buster.

This is true for Debian Bullseye (testing), again pending on
support from aufs-dkms, it is currently locked to 5.2 kernel,
via this DKMS directive (BUILD_EXCLUSIVE_KERNEL="^5.2.*").

Other Distros:
--

Apparently the official support for aufs is not too present
on other distros as it's not in the upstream/mainline Linux,
but there are distro-community efforts that provide it.
- Arch Linux User Repository/AUR
- CentOS community/custom packages on top of
  kernel-lt (longterm) and kernel-ml (mainline) stable pkgs.

Those were not checked.