Upstream has issued an advisory today (September 29): http://openwall.com/lists/oss-security/2015/09/29/4 https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-September/012434.html The upstream commit to the 1.0 branch doesn't apply to our 1.0.5 version. The advisory says that the fix will be included in the 1.0.8 release, which will come soon. It would probably be best to update to 1.0.8. Mageia 5 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => mageiaWhiteboard: (none) => MGA5TOO
Ubuntu has issued an advisory for this on September 29: http://www.ubuntu.com/usn/usn-2753-1/
URL: (none) => http://lwn.net/Vulnerabilities/658827/
Updated Ubuntu advisory with a regression fix: http://www.ubuntu.com/usn/usn-2753-2/
Severity: normal => major
Patched packages uploaded for Mageia 5 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12760#c2 Advisory: ======================== Updated lxc packages fix security vulnerability: A directory traversal flaw while lxc-start in lxc before 1.0.8 in initially setting up the mounts for a container (CVE-2015-1335). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1335 http://lists.opensuse.org/opensuse-updates/2015-10/msg00023.html ======================== Updated packages in core/updates_testing: ======================== lxc-1.0.5-3.2.mga5 liblxc1-1.0.5-3.2.mga5 liblxc-devel-1.0.5-3.2.mga5 from lxc-1.0.5-3.2.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO => has_procedure
Testing mga5 x64 Before drawing conclusions, better to note what has happened before re-booting. With issued lxc: lxc-1.0.5-3.1.mga5 lib64lxc1-1.0.5-3.1.mga5 # lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Generating public/private rsa key pair. ... Generating public/private dsa key pair. ... # lxc-ls lxcsshd # lxc-info -n lxcsshd Name: lxcsshd State: STOPPED # lxc-start -n lxcsshd /sbin/init: line 183: type: sshd: not found The command 'sshd' is not accessible on the system lxc-start: The container failed to start. lxc-start: Additional information can be obtained by setting the --logfile and --log-priority options. # lxc-destroy -n lxcsshd Updated to: lib64lxc1-1.0.5-3.2.mga5 lxc-1.0.5-3.2.mga5 # lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd [output simiar to previously] # lxc-ls lxcsshd ]# lxc-info -n lxcsshd Name: lxcsshd State: STOPPED # lxc-start -n lxcsshd lxc-start: Too many levels of symbolic links - init in /usr/lib64/lxc/rootfs/sbin/init was a symbolic link! lxc-start: Too many levels of symbolic links - failed to mount '/usr/share/lxc/templates/lxc-sshd' on '/usr/lib64/lxc/rootfs/sbin/init' lxc-start: failed to setup the mount entries for 'lxcsshd' lxc-start: failed to setup the container lxc-start: invalid sequence number 1. expected 2 lxc-start: failed to spawn 'lxcsshd' lxc-start: The container failed to start. lxc-start: Additional information can be obtained by setting the --logfile and --log-priority options. [output very differebt from previously, smae end result though] # lxc-destroy -n lxcsshd So I m
CC: (none) => lewyssmith
Do you need to install openssh-server?
Testing mga5 x64 (continued) So I am going to re-boot to repeat the lxc-start. It would be nice to know, from Bug 16443 Comments 4 & 5, what is meant by "lxc seems/continues to respond as expected." Could be helpful.
Testing mga5 x64 (continued) Re-booted. Re-running the second, post-update, part of Comment 4, lxc-start results were the same - but *not* the same as pre-update. (In reply to David Walser from comment #5) > Do you need to install openssh-server? Just in case - done. But no change: # lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd ... # lxc-start -n lxcsshd lxc-start: Too many levels of symbolic links - init in /usr/lib64/lxc/rootfs/sbin/init was a symbolic link! lxc-start: Too many levels of symbolic links - failed to mount '/usr/share/lxc/templates/lxc-sshd' on '/usr/lib64/lxc/rootfs/sbin/init' lxc-start: failed to setup the mount entries for 'lxcsshd' lxc-start: failed to setup the container lxc-start: invalid sequence number 1. expected 2 lxc-start: failed to spawn 'lxcsshd' lxc-start: The container failed to start. lxc-start: Additional information can be obtained by setting the --logfile and --log-priority options. This is very much in the area of the bug: https://bugzilla.suse.com/946744 But is it legitimate that the container does not start in this manner? (Recap: the pre-update failure to start was much neater: no sshd. Note for the future that this should be installed for this particular template test). I do not like the failure, so decline to OK this update.
Re-testing x64 real hardware; this time with ssh daemon checked to be running. Removed lxc & the lib, re-installed them from normal repos: lib64lxc1-1.0.5-3.1.mga5 lxc-1.0.5-3.1.mga5 BEFORE update: # lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd [usual O/P] # lxc-info -n lxcsshd Name: lxcsshd State: STOPPED # lxc-start -n lxcsshd eth0: ERROR while getting interface flags: No such device /sbin/dhclient-script: configuration for eth0 not found. SIOCSIFADDR: No such device eth0: ERROR while getting interface flags: No such device eth0: ERROR while getting interface flags: No such device Container IP address: eth0: error fetching interface information: Device not found [continued running - but *running*; Ctrl/C had no effect] From another console: # lxc-info -n lxcsshd Name: lxcsshd State: RUNNING PID: 4330 CPU use: 0.17 seconds BlkIO use: 24.00 KiB # lxc-stop -n lxcsshd [Takes a full minute to take effect] # lxc-destroy -n lxcsshd AFTER update to: lib64lxc1-1.0.5-3.2.mga5 lxc-1.0.5-3.2.mga5 # lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd # lxc-info -n lxcsshd Name: lxcsshd State: STOPPED # lxc-start -n lxcsshd lxc-start: Too many levels of symbolic links - init in /usr/lib64/lxc/rootfs/sbin/init was a symbolic link! lxc-start: Too many levels of symbolic links - failed to mount '/usr/share/lxc/templates/lxc-sshd' on '/usr/lib64/lxc/rootfs/sbin/init' lxc-start: failed to setup the mount entries for 'lxcsshd' lxc-start: failed to setup the container lxc-start: invalid sequence number 1. expected 2 lxc-start: failed to spawn 'lxcsshd' lxc-start: The container failed to start. lxc-start: Additional information can be obtained by setting the --logfile and --log-priority options. Confirms the iffy effect of the update, because this container did run - if full of errors - previous to it. Looks like a worsened situation.
Looks like the container template is using the wrong network interface name, but yes, the update looks iffy.
Whiteboard: has_procedure => has_procedure feedback
MGA5-32 on Acer D620 Xfce No installation issues. When I try to run as normal user I get: lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd lxc_container: No mapping for container root lxc_container: Error chowning /home/tester5/.local/share/lxc/lxcsshd/rootfs to container root lxc_container: Error creating backing store type (none) for lxcsshd lxc_container: Error creating container lxcsshd So, I searched end found https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ I had to put my user as sudoer and create the /etc/subuid and /etc/subgid files in the process, and then I get [tester5@mach6 ~]$ sudo usermod --add-subuids 100000-165536 $USER [tester5@mach6 ~]$ sudo usermod --add-subgids 100000-165536 $USER [tester5@mach6 ~]$ sudo chmod +x $HOME [tester5@mach6 ~]$ lxc-create -t download -n p1 -- -d ubuntu -r trusty -a amd64 Setting up the GPG keyring Downloading the image index Downloading the rootfs Downloading the metadata The image cache is now ready Unpacking the rootfs --- You just created an Ubuntu container (release=trusty, arch=amd64, variant=default) To enable sshd, run: apt-get install openssh-server For security reason, container images ship without user accounts and without a root password. Use lxc-attach or chroot directly into the rootfs to set a root password or create user accounts. [tester5@mach6 ~]$ lxc-ls p1 [tester5@mach6 ~]$ lxc-info -n p1 Name: p1 State: STOPPED And here I stopped the test as this laptop is a single core machine with just 1Gb of memory, it might choke on trying to run a second OS. For me the test is OK.
CC: (none) => herman.viaeneWhiteboard: has_procedure feedback => has_procedure feedback MGA5-32-OK
(In reply to David Walser from comment #9) > Looks like the container template is using the wrong network interface name, > but yes, the update looks iffy. Anything happening with this? Should we test this version, or wait for an update?
CC: (none) => davidwhodgins
This probably needs a look from a packager. Unfortunately it's unmaintained. Sander updated it previously, so maybe he'll look at it. I'm not sure what I can do here.
OK I dropped the patches and updated to a clean upstream 1.0.8 build. Updated packages in core/updates_testing: ======================== lxc-1.0.8-1.mga5 liblxc1-1.0.8-1.mga5 liblxc-devel-1.0.8-1.mga5 from lxc-1.0.8-1.mga5.src.rpm
Whiteboard: has_procedure feedback MGA5-32-OK => has_procedure
Whiteboard: has_procedure => has_procedure advisory
Trying M5 x64 real hardware Did a clean install of the 'original' pkgs: lxc-1.0.5-3.1.mga5.x86_64.rpm lib64lxc1-1.0.5-3.1.mga5.x86_64.rpm and re-ran the BEFORE UPDATE sequence lxc-create to lxc-destroy shown in Comment 8, exactly similar. (Errors about now defunct eth0, but continued running). Updated to: lxc-1.0.8-1.mga5 lib64lxc1-1.0.8-1.mga5 Repeated the Comment 8 AFTER UPDATE sequence lxc-create/lxc-info/lxc-start, which alas foundered in exactly the same way as the previous update 1.0.5-3.2: # lxc-start -n lxcsshd "lxc-start: utils.c: open_without_symlink: 1315 Too many levels of symbolic links - init in /usr/lib64/lxc/rootfs/sbin/init was a symbolic link! lxc-start: conf.c: mount_entry: 2061 Too many levels of symbolic links - failed to mount '/usr/share/lxc/templates/lxc-sshd' on '/usr/lib64/lxc/rootfs/sbin/init' lxc-start: conf.c: lxc_setup: 4282 failed to setup the mount entries for 'lxcsshd' lxc-start: start.c: do_start: 703 failed to setup the container lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2 lxc-start: start.c: __lxc_start: 1100 failed to spawn 'lxcsshd' lxc-start: lxc_start.c: main: 341 The container failed to start. lxc-start: lxc_start.c: main: 345 Additional information can be obtained by setting the --logfile and --logpriority options." Once again, eth0 apart, this seems worse than before.
In VirtualBox, M5, KDE, 32-bit Package(s) under test: lxc liblxc1 liblxc-devel default install of lxc liblxc1 & liblxc-devel [root@localhost wilcal]# urpmi lxc Package lxc-1.0.5-3.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi liblxc1 Package liblxc1-1.0.5-3.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi liblxc-devel Package liblxc-devel-1.0.5-3.1.mga5.i586 is already installed using Lewis Smith's Commment 2 in: https://bugs.mageia.org/show_bug.cgi?id=12760 [root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Generating public/private rsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: be:ff:49:cc:da:7e:f9:3d:1f:c0:24:a2:e4:80:36:36 root@localhost The key's randomart image is: +--[ RSA 2048]----+ | | | . | | E . . . . . |.......... .............. Generating public/private dsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key.pub. The key fingerprint is: e2:b3:2c:97:d0:2b:2c:2c:8f:10:8c:22:6c:26:17:59 root@localhost The key's randomart image is: +--[ DSA 1024]----+ | E |............ lxc seems to respond as expected. In a root terminal run: lxc-destroy -n lxcsshd ( works ) install lxc liblxc1 & liblxc-devel from updates_testing [root@localhost wilcal]# urpmi lxc Package lxc-1.0.8-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi liblxc1 Package liblxc1-1.0.8-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi liblxc-devel Package liblxc-devel-1.0.8-1.mga5.i586 is already installed [root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Generating public/private rsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: 09:d4:a3:7c:04:1e:89:24:93:d3:9b:b1:48:7d:8e:5c root@localhost The key's randomart image is: +--[ RSA 2048]----+ | o=..++ | | +o=oE.+ |.......... .......... Generating public/private dsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key.pub. The key fingerprint is: b9:70:4c:ca:ba:50:60:6f:f9:84:0b:39:3f:dc:db:dd root@localhost The key's randomart image is: +--[ DSA 1024]----+ | | | | | o . |....... ............. lxc continues to respond as expected. Note: you can go back and forth between: lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd and lxc-destroy -n lxcsshd as many times as you want to test. Keys are different every time.
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Package(s) under test: lxc lib64lxc1 lib64lxc-devel default install of lxc lib64lxc1 & lib64lxc-devel [root@localhost wilcal]# urpmi lxc Package lxc-1.0.5-3.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64lxc1 Package lib64lxc1-1.0.5-3.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64lxc-devel Package lib64lxc-devel-1.0.5-3.1.mga5.x86_64 is already installed [root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Generating public/private rsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: 25:33:11:b8:22:f3:00:11:05:71:ef:a3:8c:a7:99:11 root@localhost The key's randomart image is: +--[ RSA 2048]----+ |=*o .o. | |.. . . . | | . . .+ . |........... .............. Generating public/private dsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key.pub. The key fingerprint is: ae:48:81:4e:ec:86:94:c2:27:05:4c:6f:fd:e8:dd:ed root@localhost The key's randomart image is: +--[ DSA 1024]----+ |oo | | .o . | | + . |........ ............... lxc seems to respond as expected. In a root terminal run: lxc-destroy -n lxcsshd ( works ) install lxc lib64lxc1 lib64lxc-devel from updates_testing [root@localhost wilcal]# urpmi lxc Package lxc-1.0.8-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64lxc1 Package lib64lxc1-1.0.8-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64lxc-devel Package lib64lxc-devel-1.0.8-1.mga5.x86_64 is already installed [root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd Generating public/private rsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: f1:f5:8d:61:e2:0a:26:b0:ef:ea:18:44:9e:0a:91:7d root@localhost The key's randomart image is: +--[ RSA 2048]----+ | | | o | |o o E . o o |...... ............. Generating public/private dsa key pair. Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key. Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_dsa_key.pub. The key fingerprint is: 6b:1d:8c:9b:67:42:66:8a:62:b3:57:a0:1b:81:47:62 root@localhost The key's randomart image is: +--[ DSA 1024]----+ | | |.E. | |.+ |........ ............ lxc continues to respond as expected. Note: you can go back and forth between: lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd and lxc-destroy -n lxcsshd as many times as you want to test. Keys are different every time.
Look ok to you David?
Looking back over this, it appears that either the sshd template has some issues with it, or makes certain assumptions about your system configuration, so there's been different behavior for different people, but it seems to work for Bill. I think this package should be OK as it's basically a stock 1.0.8 from upstream without modifications. Maybe there are some customizations we could do to the templates to make them work better, but without a knowledgeable packager looking into this, I think this is the best we can do.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0036.html
Status: NEW => RESOLVEDResolution: (none) => FIXED