Am 26.11.2014 um 00:15 schrieb Richard Weinberger:
Eric,
On Thu, Aug 21, 2014 at 4:09 PM, Eric W. Biederman <ebiederm@xmission.com> wrote:
Richard Weinberger <richard@nod.at> writes:
Am 21.08.2014 15:12, schrieb Christoph Hellwig:
On Wed, Aug 20, 2014 at 09:53:49PM -0700, Eric W. Biederman wrote:
Richard Weinberger <richard.weinberger@gmail.com> writes:
On Wed, Aug 6, 2014 at 2:57 AM, Eric W. Biederman <ebiederm@xmission.com> wrote:
This commit breaks libvirt-lxc. libvirt does in lxcContainerMountBasicFS():
The bugs fixed are security issues, so if we have to break a small number of userspace applications we will. Anything that we can reasonably do to avoid regressions will be done.
Can you explain the security issues in detail? Breaking common userspace like libvirt-lxc with just a little bit of handwaiving is entirely unacceptable.
It looks like commit 87b47932f40a11280584bce260cbdb3b5f9e8b7d in git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git for-next unbreaks libvirt-lxc. I hope it hits Linus tree and -stable before the offending commit hits users.
I plan to send the pull request to Linus as soon as I have caught my breath (from all of the conferences this week) that I can be certain I am thinking clearly and not rushing things.
Today I've upgraded my LXC testbed to the most recent kernel and found libvirt-lxc broken again (sic!). Remounting /proc/sys/ is failing. Investigating into the issue showed that commit "mnt: Implicitly add MNT_NODEV on remount as we do on mount" is not mainline. Why did you left out this patch? In my previous mails I explicitly stated that exactly this commit unbreaks libvirt-lxc.
Now the userspace breaking changes are mainline and hit users hard. :-(
*kind ping* ...to make sure that this issue doesn't get lost. Thanks, //richard