Autopkgtest found a regression related to unprivileged container
execution when combined with overlayfs and the trusty kernel (3.13).

Marking this as verification-failed and will be tracking this done,
fixing upstream and cherry-picking a fix (once we know exactly what's
going on).


This failure didn't occur upstream when testing on a 4.4 kernel, so it suggests 
it's only happening when going down the old overlayfs codepath which the 3.13 
kernel uses.

http://paste.ubuntu.com/23639928/

** Tags removed: verification-needed
** Tags added: verification-failed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1647016

Title:
  SRU of LXC 1.0.9 (upstream bugfix release)

Status in lxc package in Ubuntu:
  Invalid
Status in lxc source package in Precise:
  In Progress
Status in lxc source package in Trusty:
  Fix Committed

Bug description:
  LXC upstream released LXC 1.0.9 as a bugfix release with following
  changelog:

   - Security fix for CVE-2016-8649
   - utils: make detect_ramfs_rootfs() return bool
   - tests: add test for detect_ramfs_rootfs()
   - add Documentation entries to lxc and lxc@ units
   - mark the python examples as having utf-8 encoding
   - log: sanity check the returned value from snprintf()
   - lxc-alpine: mount /dev/shm as tmpfs
   - archlinux: Do DHCP on eth0
   - archlinux: Fix resolving
   - Drop leftover references to lxc_strerror()
   - tests: fix image download for s390x
   - tools: fix coding style in lxc_attach
   - tools: make overlay valid backend
   - tools: better error reporting for lxc-start
   - alpine: Fix installing extra packages
   - lxc-alpine: do not drop setfcap
   - s390x: Fix seccomp handling of personalities
   - tools: correct the argument typo in lxc_copy
   - Use libtool for liblxc.so
   - c/r: use --external instead of --veth-pair
   - c/r: remember to increment netnr
   - c/r: add checkpoint/restore support for macvlan interfaces
   - ubuntu: Fix package upgrades requiring proc
   - c/r: drop duplicate hunk from macvlan case
   - c/r: use snprintf to compute device name
   - Tweak libtool handling to work with Android
   - tests: add lxc_error() and lxc_debug()
   - container start: clone newcgroup immediately
   - use python3_sitearch for including the python code
   - fix rpm build, include all built files, but only once
   - cgfs: fix invalid free()
   - find OpenSUSE's build also as obs-build
   - improve help text for --fancy and --fancy-format
   - improve wording of the help page for lxc-ls
   - cgfs: add print_cgfs_init_debuginfo()
   - cgfs: skip empty entries under /proc/self/cgroup
   - cgfs: explicitly check for NULL
   - tools: use correct exit code for lxc-stop
   - c/r: explicitly emit bind mounts as criu arguments
   - log: bump LXC_LOG_BUFFER_SIZE to 4096
   - conf: merge network namespace move & rename on shutdown
   - c/r: save criu's stdout during dump too
   - c/r: remove extra \ns from logs
   - c/r: fix off-by-one error
   - c/r: check state before doing a checkpoint/restore
   - start: CLONE_NEWCGROUP after we have setup cgroups
   - create symlink for /var/run
   - utils: add lxc_append_string()
   - cgroups: remove isolated cpus from cpuset.cpus
   - Update Ubuntu release name: add zesty and remove wily
   - templates: add squashfs support to lxc-ubuntu-cloud.in
   - cgroups: skip v2 hierarchy entry
   - also stop lxc-net in runlevels 0 and 6
   - add lxc.egg-info to gitignore
   - install bash completion where pkg-config tells us to
   - conf: do not use %m format specifier
   - debian: Don't depend on libui-dialog-perl
   - cgroups: use %zu format specifier to print size_t
   - lxc-checkpoint: automatically detect if --external or --veth-pair
   - cgroups: prevent segfault in cgfsng
   - utils: add lxc_preserve_ns()
   - start: add netnsfd to lxc_handler
   - conf: use lxc_preserve_ns()
   - attach: use lxc_preserve_ns()
   - lxc_user_nic: use lxc_preserve_ns()
   - conf, start: improve log output
   - conf: explicitly remove veth device from host
   - conf, start: be smarter when deleting networks
   - start, utils: improve preserve_ns()
   - start, error: improve log + non-functional changes
   - start, namespace: move ns_info to namespace.{c,h}
   - attach, utils: bugfixes
   - attach: use ns_info[LXC_NS_MAX] struct
   - namespace: always attach to user namespace first
   - cgroup: improve isolcpus handling
   - cgroups: handle non-existent isolcpus file
   - utils: add lxc_safe_uint()
   - tests: add unit tests for lxc_safe_uint()
   - utils: add lxc_safe_int()
   - tests: add unit tests for lxc_safe_int()
   - conf/ile: get ip prefix via lxc_safe_uint()
   - confile: use lxc_safe_u/int in config_init_{u,g}id
   - conf/ile: use lxc_safe_uint() in config_pts()
   - conf/ile: use lxc_safe_u/int() in config_start()
   - conf/ile: use lxc_safe_uint() in config_monitor()
   - conf/ile: use lxc_safe_uint() in config_tty()
   - conf/ile: use lxc_safe_uint() in config_kmsg()
   - conf/ile: avoid atoi in config_lsm_aa_incomplete()
   - conf/ile: use lxc_safe_uint() in config_autodev()
   - conf/ile: avoid atoi() in config_ephemeral()
   - utils: use lxc_safe_int()
   - lxc_monitord: use lxc_safe_int() && use exit()
   - start: use lxc_safe_int()
   - conf: use lxc_safe_{u}int()
   - tools/lxc_execute: use lxc_safe_uint()
   - tools/lxc_stop: use lxc_safe_uint()
   - utils: add lxc_safe_long()
   - tests: add unit tests for lxc_safe_long()
   - tools/lxc_stop: use lxc_safe_long()
   - tools/lxc_top: use lxc_safe_int()
   - tools/lxc_ls: use lxc_safe_uint()
   - tools/lxc_autostart: use lxc_safe_{int,long}()
   - tools/lxc_console: use lxc_safe_uint()
   - tools: replace non-standard namespace identifiers
   - Configure a static MAC address on the LXC bridge
   - tests: remove overflow tests
   - attach: do not send procfd to attached process

  Just like Ubuntu itself, upstream releases long term support releases,
  as is 1.0 and then periodic point releases including all the
  accumulated bugfixes.

  Only the latest upstream release gets full support from the upstream
  developers, everyone else is expected to first update to it before
  receiving any kind of support.

  This should qualify under the minor upstream bugfix release allowance
  of the SRU policy, letting us SRU this without paperwork for every
  single change included in this upstream release.

  Once the SRU hits -updates, we will be backporting this to trusty-
  backports as well, making sure we have the same version everywhere.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1647016/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to