View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0017896||CentOS-8||kernel||public||2020-11-28 15:28||2020-12-01 07:28|
|Target Version||Fixed in Version|
|Summary||0017896: BUG: Kernel 4.18 regression crashes some systemd services in containers|
|Description||This is an old bug that was introduced in Linux 4.18 in commit "vfs: Allow userns root to call mknod on owned filesystems." (55956b59df336f6738da916dbb520b6e37df9fbd), but it seems that the RHEL kernel has not backported the upstreamed revert commit [94f8200](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=94f8200).|
The commit message of the revert commit explains the problem in detail, but to end users, it manifests as some systemd services inside systemd-nspawn / lxc making use of the PrivateDevices feature (e.g. Nginx on some distributions) will crash due to not being able to access nodes in /dev (for Nginx, it's /dev/null) that they should otherwise be able to access. Installing the mainline kernel from elrepo fixes the issue.
This issue was discussed in
which resulted in the upstream revert.
Not being able to use systemd-nspawn or lxc normally on CentOS 8 is rather unfortunate. I think the revert commit should be cherry-picked to fix this issue.
|Steps To Reproduce||1. Create systemd-nspawn container, I used ArchLinux as guest but this shouldn't be limited to the guest distribution|
2. Install and launch Nginx service
3. open("/dev/null") failed (13: Permission denied)
|Tags||No tags attached.|
|This bug was submitted to upstream RHEL bugzilla as https://bugzilla.redhat.com/show_bug.cgi?id=1902543|
|In the meantime, we can apply commit 55956b59df336f6738da916dbb520b6e37df9fbd to the plus kernel.|
|toracat: The commit needs to be reverted, not applied. The upstream revert commit ID is 94f82008ce30e2624537d240d64ce718255e0b80. Commit 55956b is the one that breaks the containers because it makes mknod() less privileged than open(), which is contrary to prior assumptions made by almost all container runtimes (they assume if they can create a device node like /dev/null and give their children read permission, their children processes must be able to open() it too).|
|Oops, right. The patch to apply is commit 94f82008ce30e2624537d240d64ce718255e0b80.|