qemu-user-static needs to binfmt with --fix-binary
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
qemu (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Bionic |
Triaged
|
Undecided
|
Unassigned |
Bug Description
[Impact]
qemu static binaries disadvantageously get their binfmt rule created without the fix-binary flag. This breaks cross-architecture dockers, flatpak-builder, chroots and generally most use cases that entail kernel namespaces or chroots. By default the binfmt module will only open the interpreter file (e.g. qemu-arm-static for armhf binaries) when the kernel actually encounters a file for which the interpreter is needed. This is generally fine, except when the root at the time the file is encountered is no longer the root of the system (IOW: if / is in fact /foo on the system then the interpreter will effectively be looked for in /foo/usr/
As this effectively breaks qemu-based container-use the missing flag really should get rectified. For example you can't easily cross compile for arm inside a chroot. Primary example of this is flatpak-builder which is used to build flatpak bundles. It has cross compilation capabilities expecting a suitable binfmt setup which will fail with obscure execvp errors (on account of not being able to open the interpreter/qemu binary inside the chroot). https:/
The fix-binary flag of binfmt is meant to specifically deal with this. The interpreter file (e.g. qemu-arm-static) is loaded when its binfmt rule is installed instead of when a file that requires it is encountered. When the kernel then encounters a file which requires that interpreter it simply execs the already open file descriptor instead of opening a new one (IOW: the kernel already has the correct file descriptor open, so possibly divergent roots no longer play into finding the interpreter thus allowing namespaces/
[Test Case]
Do note that once successfully loaded, the interpreter likely won't need opening again. So, testing generally should be done after a cold-boot to ensure binfmt hasn't already loaded the interpreter.
$ sudo apt install docker.io qemu-user-static
$ sudo docker run --rm -it armhf/ubuntu /bin/sh
Without fix-binary this gives an error "exec user process caused 'no such file or directory" (this is referring to the interpreter not being found).
With fix-binary this correctly opens a prompt.
[Regression Potential]
Since the file descriptor is always held open I guess memory consumption goes up by a couple bytes. There isn't any opportunity of regression with fix-binary as it simply changes the interpreter file opening from lazy to instant.
There is potential for the actual SRU patch going wrong, which would manifest in the binfmt rules not getting set up correctly (this would be shown by the aforementioned test case though; breaking the rule setup would result in no improvement to the docker run command).
[Other Info]
I also should point out that the exec() still happens inside the namespace/
-----
qemu-user-static in 18.04 invokes update-binfmts without --fix-binary which can break the binfmt emulation when namespaces or chroots are involved. Specifically this defuncts cross compiling when relying on binfmt.
Newer versions already set --fix-binary for the static package. It'd be really grand if this was actually SRU'd though. Currently 18.04's binfmt for arm can inobviously fail with obscure errors. Notable example is bubblewrap and flatpak, which will squarely hit this problem 100% of the time.
Hi Harald,
this would be a backport of [1][2] which I'm fine with in general.
But there are few constraints we need to resolve first - and I get the feeling you are more acquainted binfmt than I am - so I'd ask you to help me a bit.
For the SRU policy [3] to apply this must be a bug fix and not a new feature and I'm not entirely sure on that. Furthermore we need a clear test case that can be verified when backported and in bionic-proposed. And finally I'm not deep enough into binfmt through qemu static, it would be great if you could take a step back and try to think "what could break if we do this and outline that".
To make those statements good and convincing is especially important since the affected shar of the Ubuntu community is rather low to start with.
TL;DR:
could you please add statements here that you'd think your be sufficient for the sections in [4]
- impact (included why it is a fix and not a feature)
- regression potential (not "it will be safe" but "what could go wrong")
- test case (a list of commands that would work in Bionic KVM guest for example)
[1]: https:/ /salsa. debian. org/qemu- team/qemu/ commit/ b1fc77d6ebf848a 81f5b874752e5af 8e5b93bde8 /salsa. debian. org/qemu- team/qemu/ commit/ 6c5584b50a76c16 7186006c9b7de5b a53e56f5b9 /wiki.ubuntu. com/StableRelea seUpdates /wiki.ubuntu. com/StableRelea seUpdates# SRU_Bug_ Template
[2]: https:/
[3]: https:/
[4]: https:/