Bug#847154: linux-image-amd64: Disabling vsyscall interface may break docker run

To: Ian Campbell <ijc@debian.org>
Cc: Olaf Meeuwissen <olaf.meeuwissen@avasys.jp>, 847154@bugs.debian.org
Subject: Bug#847154: linux-image-amd64: Disabling vsyscall interface may break docker run
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 06 Dec 2016 14:17:18 +0000
Message-id: <[🔎] 1481033838.2629.31.camel@decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 847154@bugs.debian.org
In-reply-to: <1481018531.4509.120.camel@debian.org>
References: <[🔎] 87y3zt4sni.fsf@helix.nebula.avasys.jp> <1481018531.4509.120.camel@debian.org>

On Tue, 2016-12-06 at 10:02 +0000, Ian Campbell wrote:
> On Tue, 2016-12-06 at 12:56 +0900, Olaf Meeuwissen wrote:
> > You may want to add to the NEWS blurb that disabling the old 'virtual
> > syscall' interface can lead to crashes when trying to run a Docker
> > container.  With upstream's docker-engine-1.12.3-0~stretch, I see
> 
> This was also reported as #845085 against docker.io.
> 
> Ben mentioned somewhere that NEWS is not displayed for newly installed
> packages (such as linux-image-$ABI) and so the message is instead part
> of the NEWS in the meta package:
>
> $ zcat /usr/share/doc/linux-image-amd64/NEWS.Debian.gz | head -n18
> linux-latest (76) unstable; urgency=medium
> 
>   * From Linux 4.8, several changes have been made in the kernel
>     configuration to 'harden' the system, i.e. to mitigate security bugs.
>     Some changes may cause legitimate applications to fail, and can be
>     reverted by run-time configuration:
>     - On 64-bit PCs (amd64), the old 'virtual syscall' interface is
>       disabled.  This breaks (e)glibc 2.13 and earlier.  To re-enable it,
>       set the kernel parameter: vsyscall=emulate
>     - On most architectures, the /dev/mem device can no longer be used to
>       access devices that also have a kernel driver.  This breaks dosemu
>       and some old user-space graphics drivers.  To allow this, set the
>       kernel parameter: iomem=relaxed
>     - The kernel log is no longer readable by unprivileged users.  To
>       allow this, set the sysctl: kernel.dmesg_restrict=0
> 
> >  -- Ben Hutchings <ben@decadent.org.uk>  Sat, 29 Oct 2016 02:05:32 +0100
> 
> $
> 
> This was also displayed for me just now on upgrade of linux-image-amd64 
> from 4.7+75 to 4.8+76. Since this is already present in the version you
> reported the wishlist issue against I'm closing with this mail.
[...]

But perhas we should more explicit in this message, e.g.:

"This breaks (e)glibc 2.13 and earlier, which may still be installed in
a chroot or container environment based on Debian 7, RHEL/CentOS 6 or
earlier versions."

Ben.

-- 
Ben Hutchings
I'm always amazed by the number of people who take up solipsism because
they heard someone else explain it. - E*Borg on alt.fan.pratchett

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#847154: linux-image-amd64: Disabling vsyscall interface may break docker run
  - From: Ian Campbell <ijc@debian.org>

References:
- Bug#847154: linux-image-amd64: Disabling vsyscall interface may break docker run
  - From: Olaf Meeuwissen <olaf.meeuwissen@avasys.jp>

Prev by Date: Bug#847204: nfs-kernel-server: `systemctl status` incorrectly reports server "active" even if not started
Next by Date: Bug#847154: linux-image-amd64: Disabling vsyscall interface may break docker run
Previous by thread: Bug#847154: marked as done (linux-image-amd64: Disabling vsyscall interface may break docker run)
Next by thread: Bug#847154: linux-image-amd64: Disabling vsyscall interface may break docker run
Index(es):
- Date
- Thread