Bug#847154: marked as done (linux-image-amd64: Disabling vsyscall interface may break docker run)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 06 Dec 2016 10:02:11 +0000
with message-id <1481018531.4509.120.camel@debian.org>
and subject line Re: Bug#847154: linux-image-amd64: Disabling vsyscall interface may break docker run
has caused the Debian Bug report #847154,
regarding linux-image-amd64: Disabling vsyscall interface may break docker run
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
847154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847154
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: linux-image-amd64: Disabling vsyscall interface may break docker run
• From: Olaf Meeuwissen <olaf.meeuwissen@avasys.jp>
• Date: Tue, 6 Dec 2016 12:56:33 +0900
• Message-id: <[🔎] 87y3zt4sni.fsf@helix.nebula.avasys.jp>

Package: linux-image-amd64
Version: 4.8+76
Severity: wishlist

Dear Maintainer,

You may want to add to the NEWS blurb that disabling the old 'virtual
syscall' interface can lead to crashes when trying to run a Docker
container.  With upstream's docker-engine-1.12.3-0~stretch, I see

  docker run -it --rm centos:6.8 /bin/bash

exit with a 139 status (and may leave a core file).  Adding a

  vsyscall=emulate

to the kernel parameters fixed this for me.

When using the centos:7 image, this problem does not occur.
On 4.7.0-1-amd64, both centos:6.8 and centos:7 Docker images work
without any problems.

Seeing that the centos:7 image works fine, I am inclined to think that
this problem may be limited to older Docker images.  I have not done any
research to back this up, nor do I plan to.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=ja_JP.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-amd64 depends on:
ii  linux-image-4.8.0-1-amd64  4.8.7-1

linux-image-amd64 recommends no packages.

linux-image-amd64 suggests no packages.

-- no debconf information

Hope this helps,
--
Olaf Meeuwissen, LPIC-2       FLOSS Engineer -- EPSON AVASYS CORPORATION
       Free Software Foundation Associate Member since 2004-01-27
    Support Free Software                  https://my.fsf.org/donate
    Join the Free Software Foundation        https://my.fsf.org/join

--- End Message ---

--- Begin Message ---

• To: Olaf Meeuwissen <olaf.meeuwissen@avasys.jp>, 847154-done@bugs.debian.org
• Subject: Re: Bug#847154: linux-image-amd64: Disabling vsyscall interface may break docker run
• From: Ian Campbell <ijc@debian.org>
• Date: Tue, 06 Dec 2016 10:02:11 +0000
• Message-id: <1481018531.4509.120.camel@debian.org>
• In-reply-to: <[🔎] 87y3zt4sni.fsf@helix.nebula.avasys.jp>
• References: <[🔎] 87y3zt4sni.fsf@helix.nebula.avasys.jp>

On Tue, 2016-12-06 at 12:56 +0900, Olaf Meeuwissen wrote:
> You may want to add to the NEWS blurb that disabling the old 'virtual
> syscall' interface can lead to crashes when trying to run a Docker
> container.  With upstream's docker-engine-1.12.3-0~stretch, I see

This was also reported as #845085 against docker.io.

Ben mentioned somewhere that NEWS is not displayed for newly installed
packages (such as linux-image-$ABI) and so the message is instead part
of the NEWS in the meta package:

$ zcat /usr/share/doc/linux-image-amd64/NEWS.Debian.gz | head -n18
linux-latest (76) unstable; urgency=medium

  * From Linux 4.8, several changes have been made in the kernel
    configuration to 'harden' the system, i.e. to mitigate security bugs.
    Some changes may cause legitimate applications to fail, and can be
    reverted by run-time configuration:
    - On 64-bit PCs (amd64), the old 'virtual syscall' interface is
      disabled.  This breaks (e)glibc 2.13 and earlier.  To re-enable it,
      set the kernel parameter: vsyscall=emulate
    - On most architectures, the /dev/mem device can no longer be used to
      access devices that also have a kernel driver.  This breaks dosemu
      and some old user-space graphics drivers.  To allow this, set the
      kernel parameter: iomem=relaxed
    - The kernel log is no longer readable by unprivileged users.  To
      allow this, set the sysctl: kernel.dmesg_restrict=0

 -- Ben Hutchings <ben@decadent.org.uk>  Sat, 29 Oct 2016 02:05:32 +0100

$

This was also displayed for me just now on upgrade of linux-image-amd64 
from 4.7+75 to 4.8+76. Since this is already present in the version you
reported the wishlist issue against I'm closing with this mail.

> Seeing that the centos:7 image works fine, I am inclined to think that
> this problem may be limited to older Docker images.  I have not done any
> research to back this up, nor do I plan to.

It is due to old eglibc in older distros. There's some more info in htt
ps://github.com/docker/docker/issues/28705. I think https://github.com/
docker/docker/issues/28705#issuecomment-264564406 is pertinent also
IMHO.

Ian.

--- End Message ---