On Tue, 2016-12-06 at 10:02 +0000, Ian Campbell wrote: > On Tue, 2016-12-06 at 12:56 +0900, Olaf Meeuwissen wrote: > > You may want to add to the NEWS blurb that disabling the old 'virtual > > syscall' interface can lead to crashes when trying to run a Docker > > container. With upstream's docker-engine-1.12.3-0~stretch, I see > > This was also reported as #845085 against docker.io. > > Ben mentioned somewhere that NEWS is not displayed for newly installed > packages (such as linux-image-$ABI) and so the message is instead part > of the NEWS in the meta package: > > $ zcat /usr/share/doc/linux-image-amd64/NEWS.Debian.gz | head -n18 > linux-latest (76) unstable; urgency=medium > > * From Linux 4.8, several changes have been made in the kernel > configuration to 'harden' the system, i.e. to mitigate security bugs. > Some changes may cause legitimate applications to fail, and can be > reverted by run-time configuration: > - On 64-bit PCs (amd64), the old 'virtual syscall' interface is > disabled. This breaks (e)glibc 2.13 and earlier. To re-enable it, > set the kernel parameter: vsyscall=emulate > - On most architectures, the /dev/mem device can no longer be used to > access devices that also have a kernel driver. This breaks dosemu > and some old user-space graphics drivers. To allow this, set the > kernel parameter: iomem=relaxed > - The kernel log is no longer readable by unprivileged users. To > allow this, set the sysctl: kernel.dmesg_restrict=0 > > > -- Ben Hutchings <b...@decadent.org.uk> Sat, 29 Oct 2016 02:05:32 +0100 > > $ > > This was also displayed for me just now on upgrade of linux-image-amd64 > from 4.7+75 to 4.8+76. Since this is already present in the version you > reported the wishlist issue against I'm closing with this mail. [...]
But perhas we should more explicit in this message, e.g.: "This breaks (e)glibc 2.13 and earlier, which may still be installed in a chroot or container environment based on Debian 7, RHEL/CentOS 6 or earlier versions." Ben. -- Ben Hutchings I'm always amazed by the number of people who take up solipsism because they heard someone else explain it. - E*Borg on alt.fan.pratchett
signature.asc
Description: This is a digitally signed message part
