View Issue Details

IDProjectCategoryView StatusLast Update
0017896CentOS-8kernelpublic2020-12-01 07:28
Reporterpetercxy Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version8.2.2004 
Summary0017896: BUG: Kernel 4.18 regression crashes some systemd services in containers
DescriptionThis is an old bug that was introduced in Linux 4.18 in commit "vfs: Allow userns root to call mknod on owned filesystems." (55956b59df336f6738da916dbb520b6e37df9fbd), but it seems that the RHEL kernel has not backported the upstreamed revert commit [94f8200](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=94f8200).

The commit message of the revert commit explains the problem in detail, but to end users, it manifests as some systemd services inside systemd-nspawn / lxc making use of the PrivateDevices feature (e.g. Nginx on some distributions) will crash due to not being able to access nodes in /dev (for Nginx, it's /dev/null) that they should otherwise be able to access. Installing the mainline kernel from elrepo fixes the issue.

This issue was discussed in

https://github.com/lxc/lxd/issues/4950
https://github.com/systemd/systemd/pull/9483

which resulted in the upstream revert.

Not being able to use systemd-nspawn or lxc normally on CentOS 8 is rather unfortunate. I think the revert commit should be cherry-picked to fix this issue.
Steps To Reproduce1. Create systemd-nspawn container, I used ArchLinux as guest but this shouldn't be limited to the guest distribution
2. Install and launch Nginx service
3. open("/dev/null") failed (13: Permission denied)
TagsNo tags attached.

Activities

petercxy

petercxy

2020-11-30 02:28

reporter   ~0038011

This bug was submitted to upstream RHEL bugzilla as https://bugzilla.redhat.com/show_bug.cgi?id=1902543
toracat

toracat

2020-11-30 17:24

manager   ~0038012

In the meantime, we can apply commit 55956b59df336f6738da916dbb520b6e37df9fbd to the plus kernel.
petercxy

petercxy

2020-12-01 01:32

reporter   ~0038015

toracat: The commit needs to be reverted, not applied. The upstream revert commit ID is 94f82008ce30e2624537d240d64ce718255e0b80. Commit 55956b is the one that breaks the containers because it makes mknod() less privileged than open(), which is contrary to prior assumptions made by almost all container runtimes (they assume if they can create a device node like /dev/null and give their children read permission, their children processes must be able to open() it too).
toracat

toracat

2020-12-01 07:28

manager   ~0038017

Oops, right. The patch to apply is commit 94f82008ce30e2624537d240d64ce718255e0b80.

Issue History

Date Modified Username Field Change
2020-11-28 15:28 petercxy New Issue
2020-11-30 02:28 petercxy Note Added: 0038011
2020-11-30 17:24 toracat Note Added: 0038012
2020-12-01 01:32 petercxy Note Added: 0038015
2020-12-01 07:28 toracat Note Added: 0038017