Bug#501359: initramfs-tools: MODULES=dep does not like Xen virtual block devices
- To: Michael Prokop <firstname.lastname@example.org>
- Cc: Ian Campbell <email@example.com>, firstname.lastname@example.org, maximilian attems <email@example.com>
- Subject: Bug#501359: initramfs-tools: MODULES=dep does not like Xen virtual block devices
- From: Ferenc Wagner <firstname.lastname@example.org>
- Date: Mon, 14 Jun 2010 12:47:42 +0200
- Message-id: <email@example.com>
- Reply-to: Ferenc Wagner <firstname.lastname@example.org>, email@example.com
- In-reply-to: <2010-06-14T12firstname.lastname@example.org> (Michael Prokop's message of "Mon, 14 Jun 2010 12:20:36 +0200")
- References: <20081215101740.GC4759@stro.at> <email@example.com> <20090217165832.GA21997@stro.at> <firstname.lastname@example.org> <20090218000140.GD3901@baikonur.stro.at> <email@example.com> <20100406022332.GC7863@stro.at> <firstname.lastname@example.org> <2010-06-08T11email@example.com> <firstname.lastname@example.org> <2010-06-14T12email@example.com>
Michael Prokop <firstname.lastname@example.org> writes:
> * Ferenc Wagner <email@example.com> [Wed Jun 09, 2010 at 04:14:22PM +0200]:
>> A side note: a couple of lines later devpts is still mounted in "legacy"
>> mode. This makes full devpts isolation impossible, which is a problem
>> if the running system wants to use Linux containers. I didn't track,
>> maybe this devpts mount does not survive the initramfs phase, but if it
>> does, this issue is something to think about (until the devpts default
>> changes, which won't be soon, and surely not for 2.6.32).
> Sorry, I'm not sure I can follow you. Can you please elaborate a bit?
You may want to refer to Documentation/devpts.txt in the Linux kernel
tree for more details. Above I mixed up the terminology somewhat. The
Squeeze kernel has CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, so it isn't
running in legacy mode, but the devpts mounts (both in the initramfs and
in the startup scripts) don't use the 'newinstance' option, so the
system ends up using the "initial kernel mount of devpts". Now even if
the container setup scripts take care to mount their own devpts
instances using the 'newinstance' option, this does not forbit the
contained system to also mount the "initial kernel mount of devpts" and
possibly interfere with the host system through it. The solution is to
mount devpts in the host system with the 'newinstance' option, too, and
thus insulate it from the containers possibly running on the host.
I'm still disturbed by the fact that several containers could mount the
"initial kernel mount of devpts" and cooperate through it, but that's
their choice to use the inherently insecure common instance.
Hope I managed to make it clearer now. I'm no expert of this, but this
concern seems somewhat founded, cf.