[Bug 1034125] [NEW] containers can load a kernel to kexec
Serge Hallyn
1034125 at bugs.launchpad.net
Tue Aug 7 19:15:15 UTC 2012
Public bug reported:
Loading a kexec kernel is guarded by CAP_SYS_BOOT, which we allow a
container to have.
A container can't do 'kexec -e' to actually execute the new kernel, because that requires a call to reboot which is refused. However, it can do kexec -l do load a kernel for the next kexec -e. This means that it could race with an admin on the host doing 'kexec -l; kexec -e'. Exact command line used in the container (after
copying /boot/* from the host to /var/lib/lxc/q1/rootfs/boot/ ) :
sudo kexec -l /boot/vmlinuz-3.5.0-5-generic --append=root=LABEL
=cloudimg-rootfs --initrd=/boot/initrd.img-3.5.0-5-generic
Before this, kexec -e on the host gives:
Nothing has been loaded!
After this, it loads the new kernel.
There is a patch on lkml to prevent a task in non-init pid namespace
(i.e. a container) from loading kexec kernels:
https://lkml.org/lkml/2012/8/3/152. Please apply to precise and
quantal.
After quantal, user namespaces will provide an alternative fix.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: lxc (Ubuntu)
Importance: High
Status: Triaged
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Loading a kexec kernel is guarded by CAP_SYS_BOOT, which we allow a
container to have.
- A container can't do 'kexec -e' to actually execute the new kernel,
- because that requires a call to reboot which is refused. However, it
- can do kexec -l do load a kernel for the next kexec -e. This means that
- it could race with an admin on the host doing 'kexec -l; kexec -e'.
- Exact command line used in the container:
+ A container can't do 'kexec -e' to actually execute the new kernel, because that requires a call to reboot which is refused. However, it can do kexec -l do load a kernel for the next kexec -e. This means that it could race with an admin on the host doing 'kexec -l; kexec -e'. Exact command line used in the container (after
+ copying /boot/* from the host to /var/lib/lxc/q1/rootfs/boot/ ) :
sudo kexec -l /boot/vmlinuz-3.5.0-5-generic --append=root=LABEL
=cloudimg-rootfs --initrd=/boot/initrd.img-3.5.0-5-generic
Before this, kexec -e on the host gives:
Nothing has been loaded!
After this, it loads the new kernel.
There is a patch on lkml to prevent a task in non-init pid namespace
(i.e. a container) from loading kexec kernels:
https://lkml.org/lkml/2012/8/3/152. Please apply to precise and
quantal.
After quantal, user namespaces will provide an alternative fix.
** Changed in: lxc (Ubuntu)
Status: New => Triaged
** Changed in: lxc (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1034125
Title:
containers can load a kernel to kexec
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1034125/+subscriptions
More information about the Ubuntu-server-bugs
mailing list