| === cmagina_ is now known as cmagina | ||
| === Mikee_C_afk is now known as Mikee_C | ||
| apw | hallyn, bug 1357025, looks like we lost a patch on rebase to v3.16, i've repplied it and am dumping test kernels in the bug shortly | 12:51 |
|---|---|---|
| ubot5 | bug 1357025 in linux (Ubuntu) "unprivileged overlayfs mounts no longer work in utopic" [Medium,Confirmed] https://launchpad.net/bugs/1357025 | 12:51 |
| rtg | apw, which one ? | 12:52 |
| apw | UBUNTU: SAUCE: Overlayfs: allow unprivileged mounts | 12:53 |
| apw | rtg, ^ | 12:53 |
| rtg | hmm, that isn't in my dropped file | 12:53 |
| apw | you probababally just said "overlayfs is dropped" as a whole ? | 12:54 |
| rtg | apw, could be | 12:54 |
| apw | collateral dammage from that, if the test existed (which it will soon) it owuld have been cought before it left CKT PPA but ... hey | 12:56 |
| hallyn | apw: cool, thanks | 13:01 |
| hallyn | apw: test case has been submitted to lxc upstream, it may make it into the utopic yet | 13:01 |
| apw | hallyn, ok there are test kernels up, if you could get them verified "soon" then we have an upload planned for today | 13:02 |
| apw | which i would like to see it in | 13:02 |
| hallyn | will do, thx | 13:05 |
| hallyn | apw: fixed | 13:14 |
| apw | hallyn, thanks for the confirmation, confidence was high | 13:14 |
| === willcooke_ is now known as willcooke | ||
| === hatch__ is now known as hatch | ||
| === cyphermox__ is now known as cyphermox | ||
| dannf | rtg: http://paste.ubuntu.com/8054904/ | 16:14 |
| dannf | rtg: i'll update to those regex's - let me know if there's any other tests you'd like me to add | 16:15 |
| rtg | dannf, I've never used extended regex's. I may have to find a new book :) | 16:15 |
| rtg | dannf, those look like sufficient tests | 16:17 |
| dannf | ack. will send out a patch after a test build | 16:17 |
| === cmagina_ is now known as cmagina | ||
| === Mikee_C is now known as Mikee_C_afk | ||
| === cyphermox_ is now known as cyphermox | ||
| apw | rtg, i sometimes wonder if we should just add .0 in the middle there for this purpose | 17:51 |
| apw | rtg, indeed i wonder what would happen if we just used like -Nr0.U and people rev'd r | 17:52 |
| apw | something to chew on | 17:52 |
| rtg | apw, so, what would that do for us (the distro) besides making the version even _more_ complicated ? | 18:18 |
| rtg | dannf, I just accidentally moderated your emails out of existence. maybe you should just subscribe ? | 18:43 |
| dannf | rtg: i'm on ubuntu-kernel | 18:44 |
| dannf | er kernel-team | 18:44 |
| rtg | dannf, this was the private list I moderated | 18:44 |
| dannf | oh - i assumed that was an organizational list | 18:45 |
| hallyn | sforshee: just to be sure, nothing you've done with fuse+userns would break if fuse mounts requred MS_DEV? | 20:13 |
| hallyn | uh, MS_NODEV | 20:13 |
| === chiluk` is now known as chiluk | ||
| sforshee | hallyn: I'm thinking that I required MS_NODEV for fuse+userns mounts, but I'd have to go back and look | 20:15 |
| hallyn | cool, long as there's nothing wher eyou'd have needed NOT specifying MS_NODEV :) (which would be ridiculous, i think) | 20:16 |
| hallyn | thanks | 20:16 |
| sforshee | hallyn: yeah, I didn't set FS_USERNS_DEV_MOUNT which means that any userns mounts get NODEV | 20:16 |
| hallyn | not for long :) | 20:17 |
| sforshee | are you referring to that cve fix? | 20:17 |
| sforshee | hallyn: either way, I think letting a userns+fuse mount contain devices would be a big problem | 20:19 |
| hallyn | sforshee: i'm referring to a patch by Andy L. reverting part of Eric's patch | 20:21 |
| hallyn | (not sure if that's the cve fix you mean) | 20:22 |
| sforshee | hallyn: yeah, I'm talking about the one from eric. Do you have a link to the revert? | 20:22 |
| hallyn | sforshee: http://lkml.org/lkml/2014/8/13/746 | 20:23 |
| sforshee | hallyn: that's still okay then. Instead of an implicit NODEV the mount just fails. | 20:24 |
| hallyn | right | 20:25 |
| sforshee | hallyn: does that impact our overlayfs support? | 20:27 |
| hallyn | sforshee: hm. it might | 20:27 |
| hallyn | but if it does then lxc should simply add the nodev option | 20:28 |
| hallyn | the new lxc-test-unpriv extension should catch it if it does | 20:28 |
| sforshee | right, something to look out for when we pick up that patch | 20:28 |
| stgraber | hmm, so the latest kernel security update for the 3.13 kernel breaks LXC | 22:45 |
| stgraber | (well, nested unprivileged containers specifically) | 22:46 |
| hallyn | stgraber: http://lkml.org/lkml/2014/8/13/746 will be the patch to fix it | 22:48 |
| hallyn | can you test-build a kernel? | 22:48 |
| hallyn | apw: I assume the quickest we could get http://lkml.org/lkml/2014/8/13/746 into a build is 3 weeks? | 22:49 |
| stgraber | we obviously have two talks lined up at LinuxCon/Linux Security Summit next week which both demo nested unprivileged containers on Ubuntu... so looks like we'll need custom patched kernels or tweaked LXC which means people following those talks won't be able to reproduce what we show them... | 22:51 |
| stgraber | hallyn, apw: filed bug 1357588 | 23:22 |
| ubot5 | bug 1357588 in linux (Ubuntu) "3.13.0-24 broke nested unprivileged LXC" [Undecided,New] https://launchpad.net/bugs/1357588 | 23:22 |
| stgraber | and tagged as a regression in an udpate | 23:22 |
| stgraber | *update | 23:23 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!