0017896: BUG: Kernel 4.18 regression crashes some systemd services in containers - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0017896	CentOS-8	kernel	public	2020-11-28 15:28	2020-12-01 07:28

Reporter	petercxy
Priority	normal	Severity	major	Reproducibility	always
Status	new	Resolution	open
Product Version	8.2.2004
Target Version		Fixed in Version

Summary	0017896: BUG: Kernel 4.18 regression crashes some systemd services in containers
Description	This is an old bug that was introduced in Linux 4.18 in commit "vfs: Allow userns root to call mknod on owned filesystems." (55956b59df336f6738da916dbb520b6e37df9fbd), but it seems that the RHEL kernel has not backported the upstreamed revert commit [94f8200](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=94f8200). The commit message of the revert commit explains the problem in detail, but to end users, it manifests as some systemd services inside systemd-nspawn / lxc making use of the PrivateDevices feature (e.g. Nginx on some distributions) will crash due to not being able to access nodes in /dev (for Nginx, it's /dev/null) that they should otherwise be able to access. Installing the mainline kernel from elrepo fixes the issue. This issue was discussed in https://github.com/lxc/lxd/issues/4950 https://github.com/systemd/systemd/pull/9483 which resulted in the upstream revert. Not being able to use systemd-nspawn or lxc normally on CentOS 8 is rather unfortunate. I think the revert commit should be cherry-picked to fix this issue.
Steps To Reproduce	1. Create systemd-nspawn container, I used ArchLinux as guest but this shouldn't be limited to the guest distribution 2. Install and launch Nginx service 3. open("/dev/null") failed (13: Permission denied)
Tags	No tags attached.

petercxy 2020-11-30 02:28 reporter ~0038011	This bug was submitted to upstream RHEL bugzilla as https://bugzilla.redhat.com/show_bug.cgi?id=1902543

toracat 2020-11-30 17:24 manager ~0038012	In the meantime, we can apply commit 55956b59df336f6738da916dbb520b6e37df9fbd to the plus kernel.

petercxy 2020-12-01 01:32 reporter ~0038015	toracat: The commit needs to be reverted, not applied. The upstream revert commit ID is 94f82008ce30e2624537d240d64ce718255e0b80. Commit 55956b is the one that breaks the containers because it makes mknod() less privileged than open(), which is contrary to prior assumptions made by almost all container runtimes (they assume if they can create a device node like /dev/null and give their children read permission, their children processes must be able to open() it too).

toracat 2020-12-01 07:28 manager ~0038017	Oops, right. The patch to apply is commit 94f82008ce30e2624537d240d64ce718255e0b80.

Date Modified	Username	Field	Change
2020-11-28 15:28	petercxy	New Issue
2020-11-30 02:28	petercxy	Note Added: 0038011
2020-11-30 17:24	toracat	Note Added: 0038012
2020-12-01 01:32	petercxy	Note Added: 0038015
2020-12-01 07:28	toracat	Note Added: 0038017