The fix for this regression has now been uploaded to Ubuntu 14.04. On Wed, Sep 30, 2015 at 12:13:26PM -0400, Stéphane Graber wrote: > Hi, > > We're aware of a regression in the patch that was uploaded to Ubuntu > 14.04 LTS and then automatically backported to the lts PPAs. > > This patch differed a bit from the one sent upstream as we had to > workaround a kernel bug in the Ubuntu 3.13 kernel. > > Serge Hallyn is currently working on a fix for this issue. It does so > far appear to be caused by absolute paths containing "//" in them. The > planned fix is to normalize those paths to using a single "/". > > We expect this regression to be fixed in Ubuntu 14.04 and the lts PPAs > in the very near future. > > Until then, the best way around this issue is to either fix your > lxc.mount.entry or fstab entry by replacing all "//" by a single "/" or > as suggested on this list, make use of relative mounts. > > Stéphane > > On Wed, Sep 30, 2015 at 09:24:17AM +0200, Timotheus Pokorra wrote: > > Hello, > > > > > During a recent security audit of LXC, Roman Fiedler identified a > > > security vulnerability in LXC. > > thanks for providing this fix! > > > > I updated to the latest release on the stable/lts PPA > > (https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/lts). > > package version: 1.0.7-0ubuntu0.5~ubuntu14.04.1~ppa1 > > > > > 1. do not allow mounts to paths containing symbolic links > > > 2. do not allow bind mounts from relative paths containing symbolic > > > links. > > > > Unfortunately, now I cannot start a container anymore, which does have a > > mount. > > It is not using symbolic links, as far as I can see. > > In the config file, I have this line: > > lxc.mount.entry = > > /var/lib/repocache/57/debian/jessie/amd64/var/cache/apt > > /var/lib/lxc/57-jessiestable.kolab.pokorra.de/rootfs/var/cache/apt > > none defaults,bind 0 0 > > > > But lxc-start -n shows me this error: > > > > lxc-start: utils.c: ensure_not_symlink: 1384 Mount onto > > /usr/lib/x86_64-linux-gnu/lxc//var/cache/apt resulted in > > /usr/lib/x86_64-linux-gnu/lxc/var/cache/apt > > > > lxc-start: utils.c: safe_mount: 1409 Mount of > > '/var/lib/repocache/57/debian/jessie/amd64/var/cache/apt' onto > > '/usr/lib/x86_64-linux-gnu/lxc//var/cache/apt' was onto a symlink! > > lxc-start: conf.c: mount_entry: 2051 No such file or directory - > > failed to mount > > '/var/lib/repocache/57/debian/jessie/amd64/var/cache/apt' on > > '/usr/lib/x86_64-linux-gnu/lxc//var/cache/apt' > > lxc-start: conf.c: lxc_setup: 4165 failed to setup the mount entries > > for '57-jessiestable.kolab.pokorra.de' > > > > I wonder where does the path > > /usr/lib/x86_64-linux-gnu/lxc//var/cache/apt come from? > > Is there a bug in the security patch, or some problem in my system? > > It used to work fine before applying this latest release. > > > > Thanks for any ideas, > > Timotheus > > _______________________________________________ > > lxc-users mailing list > > [email protected] > > http://lists.linuxcontainers.org/listinfo/lxc-users > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com
> _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
