Package: util-vserver Version: 0.30.216~r2772-6 Severity: important Tags: patch
Problem description: We run several stripped-down Vservers which mount as much directories as possible read-only from another Vserver (like /sbin, /bin, ...). The Vservers reside on their own LVM partition. Our /etc/vservers/vs-www/fstab looks like this: /srv/vserver/skeleton.vs-web/etc /etc none bind,ro 0 0 /srv/vserver/skeleton.vs-web/bin /bin none bind,ro 0 0 /srv/vserver/skeleton.vs-web/usr /usr none bind,ro 0 0 /srv/vserver/skeleton.vs-web/lib /lib none bind,ro 0 0 /srv/vserver/skeleton.vs-web/sbin /sbin none bind,rw 0 0 /srv/vserver/skeleton.vs-web/opt /opt none bind,ro 0 0 none /proc proc defaults 0 0 none /dev/pts devpts gid=5,mode=620 0 0 If the last "bind" entry is a "ro" mount the whole partition in the host will be mounted read-only. If we change the last bind-mount to "rw", everything is fine: [...] /srv/vserver/skeleton.vs-web/opt /opt none bind,rw 0 0 [...] Expected Behavior: The Vserver should start up without mounting the partition read-only. Further Information: Please see also the upstream bug report: http://savannah.nongnu.org/bugs/?25547 Patch: We have backported the fix from upstream and it works for us. Behaviour without patch/Steps to reproduce: laura:/srv/vserver# touch test laura:/srv/vserver# vserver vs-www start secure-mount: open(<mtab>): Read-only file system Failed to update mtab-file secure-mount: open(<mtab>): Read-only file system Failed to update mtab-file secure-mount: open(<mtab>): Read-only file system Failed to update mtab-file secure-mount: open(<mtab>): Read-only file system Failed to update mtab-file secure-mount: open(<mtab>): Read-only file system Failed to update mtab-file secure-mount: write(): Invalid argument Failed to update mtab-file secure-mount: write(): Invalid argument Failed to update mtab-file chroot-sh: unlink("var/run/crond.reboot"): Read-only file system chroot-sh: unlink("var/run/crond.pid"): Read-only file system chroot-sh: unlink("var/run/utmp"): Read-only file system Failed to start vserver 'vs-www' laura:/srv/vserver# touch test touch: kann „test“ nicht berühren: Das Dateisystem ist nur lesbar Behaviour with patch: laura:/srv/vserver# touch test laura:/srv/vserver# vserver vs-www start secure-mount: write(): Invalid argument Failed to update mtab-file secure-mount: write(): Invalid argument Failed to update mtab-file Starting OpenBSD Secure Shell server: sshd. SpamAssassin Mail Filter Daemon: disabled, see /etc/default/spamassassin Starting web server: lighttpd. Starting Postfix Mail Transport Agent: postfix. Starting periodic command scheduler: crond. laura:/srv/vserver# touch test laura:/srv/vserver# -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-vserver-amd64 (SMP w/16 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages util-vserver depends on: ii debconf 1.5.24 Debian configuration management sy ii iproute 20080725-2 networking and traffic control too ii libbeecrypt6 4.1.2-7 open source C library of cryptogra ii libc6 2.7-18 GNU C Library: Shared libraries ii make 3.81-5 The GNU version of the "make" util ii net-tools 1.60-22 The NET-3 networking toolkit ii util-linux 2.13.1.1-1 Miscellaneous system utilities Versions of packages util-vserver recommends: ii binutils 2.18.1~cvs20080103-7 The GNU assembler, linker and bina ii debootstrap 1.0.10lenny1 Bootstrap a basic Debian system Versions of packages util-vserver suggests: ii iptables 1.4.2-6 administration tools for packet fi ii linux-image-2.6.26-1-vse 2.6.26-13lenny2 Linux 2.6.26 image on AMD64, Linux ii module-init-tools 3.4-1 tools for managing Linux kernel mo ii procps 1:3.2.7-11 /proc file system utilities pn vlan <none> (no description available) ii wget 1.11.4-2 retrieves files from the web pn yum <none> (no description available) -- debconf information: util-vserver/prerm_stop_running_vservers: true util-vserver/postrm_remove_vserver_configs: false -- Mit freundlichen Grüßen / Best Regards Dominik Schulz
--- util-vserver-0.30.216~r2772/debian/patches/20securemount.dpatch 2009-04-17 10:36:08.000000000 +0200 +++ util-vserver-0.30.216~r2772-patched/debian/patches/20securemount.dpatch 2009-04-14 10:45:12.000000000 +0200 @@ -8,7 +8,7 @@ diff -urNad trunk~/src/secure-mount.c trunk/src/secure-mount.c --- trunk~/src/secure-mount.c 2008-03-17 12:20:27.000000000 -0400 +++ trunk/src/secure-mount.c 2008-08-27 12:55:02.000000000 -0400 -@@ -436,6 +436,20 @@ +@@ -436,6 +436,19 @@ perror("secure-mount: mount()"); return false; } @@ -19,8 +19,7 @@ + return false; + if (mount(mnt->src, ".", + mnt->type ? mnt->type : "", -+ ((mnt->flag & ~(MS_BIND|MS_REC)) | -+ MS_REMOUNT), NULL) == -1 && ++ (mnt->flag | MS_REMOUNT), NULL) == -1 && + errno != EBUSY) { /* Returned on older kernels */ + perror("secure-mount: mount()"); + return false;