Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1053821: crun: kernel 6.1.0-13 (6.1.55) breaks compatibility with crun < 1.9.2
142 views
Skip to first unread message
Austin Dworaczyk Wiltshire
Oct 11, 2023, 9:10:05 PM10/11/23
to
Package: crun
Version: 1.8.1-1+b1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
The release of kernel 6.1.0-13 (6.1.55) included a change ('attr: block mode changes of symlinks') which
breaks running containers that use systemd (like Debian itself) as
the init system.
This issue was recognized on the crun issue tracker:
1. https://github.com/containers/crun/issues/1308
2. https://github.com/containers/crun/pull/1309
Reproduction instructions are here:
1. https://github.com/containers/crun/issues/1308#issuecomment-1731077226
The offending kernel commit is here:
1. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d1f903f75a80daa4dfb3d84e114ec8ecbf29956
Which shows up in this changelog:
1. https://metadata.ftp-master.debian.org/changelogs//main/l/linux-signed-amd64/linux-signed-amd64_6.1.55+1_changelog
The end result is that running the current version of crun with
kernel 6.1.0-13 (6.1.55) means that containers using systemd as their
init system will fail to run with an error like the following:
'Error: OCI runtime error: crun: chmod `run/shm`: Operation not supported'
* What exactly did you do (or not do) that was effective (or
ineffective)?
I ran a container that uses systemd as an init system, following
the instructions listed here:
https://github.com/containers/crun/issues/1308#issuecomment-1731077226
* What was the outcome of this action?
An error message like the following:
'Error: OCI runtime error: crun: chmod `run/shm`: Operation not supported'
* What outcome did you expect instead?
The container to run properly.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 12.2
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages crun depends on:
ii libc6 2.36-9+deb12u3
ii libcap2 1:2.66-4
ii libseccomp2 2.5.4-1+b3
ii libsystemd0 252.17-1~deb12u1
ii libyajl2 2.1.0-3+deb12u2
crun recommends no packages.
crun suggests no packages.
-- no debconf information
Version: 1.8.1-1+b1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
The release of kernel 6.1.0-13 (6.1.55) included a change ('attr: block mode changes of symlinks') which
breaks running containers that use systemd (like Debian itself) as
the init system.
This issue was recognized on the crun issue tracker:
1. https://github.com/containers/crun/issues/1308
2. https://github.com/containers/crun/pull/1309
Reproduction instructions are here:
1. https://github.com/containers/crun/issues/1308#issuecomment-1731077226
The offending kernel commit is here:
1. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d1f903f75a80daa4dfb3d84e114ec8ecbf29956
Which shows up in this changelog:
1. https://metadata.ftp-master.debian.org/changelogs//main/l/linux-signed-amd64/linux-signed-amd64_6.1.55+1_changelog
The end result is that running the current version of crun with
kernel 6.1.0-13 (6.1.55) means that containers using systemd as their
init system will fail to run with an error like the following:
'Error: OCI runtime error: crun: chmod `run/shm`: Operation not supported'
* What exactly did you do (or not do) that was effective (or
ineffective)?
I ran a container that uses systemd as an init system, following
the instructions listed here:
https://github.com/containers/crun/issues/1308#issuecomment-1731077226
* What was the outcome of this action?
An error message like the following:
'Error: OCI runtime error: crun: chmod `run/shm`: Operation not supported'
* What outcome did you expect instead?
The container to run properly.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 12.2
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages crun depends on:
ii libc6 2.36-9+deb12u3
ii libcap2 1:2.66-4
ii libseccomp2 2.5.4-1+b3
ii libsystemd0 252.17-1~deb12u1
ii libyajl2 2.1.0-3+deb12u2
crun recommends no packages.
crun suggests no packages.
-- no debconf information
Jesse Hathaway
Nov 2, 2023, 11:50:05 AM11/2/23
to
Hey Faidon, I hope you are well!
Since this bug affects the current version in bookworm, v1.8.1, would
there be a possibility of adding the upstream patch to bookworm's
version? I tested applying the patches atop v1.8.1 and they apply
cleanly, and fix the issue as well.
git checkout -b bookworm 1.8.1
git cherry-pick 57262a2710c83fa08767f0ce3ba7a80993515bb2
git cherry-pick 14afa8a46e2e83608a3a219402bce8ea8d071192
Since this bug affects the current version in bookworm, v1.8.1, would
there be a possibility of adding the upstream patch to bookworm's
version? I tested applying the patches atop v1.8.1 and they apply
cleanly, and fix the issue as well.
git checkout -b bookworm 1.8.1
git cherry-pick 57262a2710c83fa08767f0ce3ba7a80993515bb2
git cherry-pick 14afa8a46e2e83608a3a219402bce8ea8d071192
Yours kindly, Jesse Hathaway
Faidon Liambotis
Nov 2, 2023, 2:30:06 PM11/2/23
to
Control: severity -1 important
On Thu, Nov 02, 2023 at 10:43:46AM -0500, Jesse Hathaway wrote:
> Since this bug affects the current version in bookworm, v1.8.1, would
> there be a possibility of adding the upstream patch to bookworm's
> version? I tested applying the patches atop v1.8.1 and they apply
> cleanly, and fix the issue as well.
>
> git checkout -b bookworm 1.8.1
> git cherry-pick 57262a2710c83fa08767f0ce3ba7a80993515bb2
> git cherry-pick 14afa8a46e2e83608a3a219402bce8ea8d071192
Despite Austin's description noting this, I had read the bug a bit in
haste and thought this was only affecting crun 1.8.1 + Linux >= 6.6 (as
crun's commit message mentioned). In other words, a combination of (crun
from bookworm) + (Linux from sid), which, while not great, wasn't that
big of an issue.
However, after discussing this further with Jesse, I realized that the
kernel commit in question (5d1f903f75a80daa4dfb3d84e114ec8ecbf29956,
"attr: block mode changes of symlinks") has been backported as a stable
upate to 6.1.55 (6a84939cc7dd6f970c2621ded82c4d9ea0068b1b), in turn part
of src:linux 6.1.55-1, currently in bookworm.
This means that bookworm's crun, combined with bookworm's current
kernel, is broken when running containers with systemd as the init
system.
A simple test case is:
podman run --rm -d docker.io/jrei/systemd-debian:12
I'm going to prepare a stable update backporting these two commits,
hopefully resolving this incompatibility.
Thanks all!
Faidon
On Thu, Nov 02, 2023 at 10:43:46AM -0500, Jesse Hathaway wrote:
> Since this bug affects the current version in bookworm, v1.8.1, would
> there be a possibility of adding the upstream patch to bookworm's
> version? I tested applying the patches atop v1.8.1 and they apply
> cleanly, and fix the issue as well.
>
> git checkout -b bookworm 1.8.1
> git cherry-pick 57262a2710c83fa08767f0ce3ba7a80993515bb2
> git cherry-pick 14afa8a46e2e83608a3a219402bce8ea8d071192
haste and thought this was only affecting crun 1.8.1 + Linux >= 6.6 (as
crun's commit message mentioned). In other words, a combination of (crun
from bookworm) + (Linux from sid), which, while not great, wasn't that
big of an issue.
However, after discussing this further with Jesse, I realized that the
kernel commit in question (5d1f903f75a80daa4dfb3d84e114ec8ecbf29956,
"attr: block mode changes of symlinks") has been backported as a stable
upate to 6.1.55 (6a84939cc7dd6f970c2621ded82c4d9ea0068b1b), in turn part
of src:linux 6.1.55-1, currently in bookworm.
This means that bookworm's crun, combined with bookworm's current
kernel, is broken when running containers with systemd as the init
system.
A simple test case is:
podman run --rm -d docker.io/jrei/systemd-debian:12
I'm going to prepare a stable update backporting these two commits,
hopefully resolving this incompatibility.
Thanks all!
Faidon
0 new messages