Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

centos:6 image segfaults on newer Linux kernels with Spectre V1 mitigation #103

Closed
terminalmage opened this issue Mar 15, 2018 · 13 comments
Closed

centos:6 image segfaults on newer Linux kernels with Spectre V1 mitigation #103

terminalmage opened this issue Mar 15, 2018 · 13 comments

Comments

@terminalmage
Copy link

Running a docker run --rm -it centos:6 bash fails with exit status 139 (i.e. bash exits with SIGSEGV) on Linux kernel 4.15.9. Downgrading to 4.14.15 (which is vulnerable to Spectre V1) gets rid of the segfault.

This has been tried both with the latest image pulled from the docker hub, and I also built from the most recent update here on GitHub (https://github.com/CentOS/sig-cloud-instance-images/blob/d2bb3d66e4f4330480f534ed4940e7c89210cfe6/docker/Dockerfile) and that image also fails.

The docker host is Arch Linux running Docker 18.02.0.
@zrhoffman
Copy link

zrhoffman commented Mar 19, 2018
edited
Loading

Verified in Arch Linux using kernel 4.15.8-1 and Docker 18.02.0. Downgrading to 4.14.15-1 makes docker run --rm -it centos:6.9 bash run as expected.

@mwestphal
Copy link

FYI, on 4.15.12-1-ARCH, I have the same behavior except that it exit silently without any error. Downgrading does fix the problem.

@terminalmage
Copy link
Author

So it seems that we just need the image to be updated with one that doesn't segfault on newer kernels. @jperrin was the last to update these images, looping him in here.

@sgowie
Copy link

sgowie commented May 1, 2018

While this issue can be circumvented by defining vsyscall=emulate in the bootloader's kernel options, this is unlikely to be the default for all distributions. As more systems adopt the patched kernels, images depending on the existing CentOS 6 line of images will likely fail.

Is it even possible to rebuild the c6-docker.tar.xz blob with binaries and/or libraries that don't require this change? If not, it may be prudent to either provide some guidance on the hub.docker.com, or to remove reference to the incompatible images.

@jperrin
Copy link
Collaborator

jperrin commented May 1, 2018

The images are built from the latest sources available for c6. I don't test them on anything other than CentOS and Fedora hosts. If it's failing on Arch, and you'd like to contribute Arch specific documentation to the docker docs repo CentOS page, I'm happy to ack it there.

@terminalmage
Copy link
Author

I would be happy to write docs, but I have no idea what the "docker docs repo CentOS page" is. Can you point me in the right direction?

@sgowie
Copy link

sgowie commented May 3, 2018

@jperrin I think Arch is a red herring here. The kernel changes have been seen in Alpine (moby/moby#28705), and they're slated to drop in Debian 10 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874034). I'd look at this as a canary situation instead. A debian test install produces the same results:

sgowie@debian-test-latest:~$ sudo docker run -it centos:centos6.7
Unable to find image 'centos:centos6.7' locally
centos6.7: Pulling from library/centos
cbddbc0189a0: Pull complete 
Digest: sha256:7248c96de4648749c7936f203d983530e7ebdd83c3db6d47278392f18bcd7baf
Status: Downloaded newer image for centos:centos6.7
sgowie@debian-test-latest:~$ echo $?
139
sgowie@debian-test-latest:~$ uname -a
Linux debian-test-latest 4.15.0-3-amd64 #1 SMP Debian 4.15.17-1 (2018-04-19) x86_64 GNU/Linux
sgowie@debian-test-latest:~$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux buster/sid"
NAME="Debian GNU/Linux"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
sgowie@debian-test-latest:~$

This was referenced May 3, 2018
Merged
Merged
@agimenez
Copy link

agimenez commented Jul 4, 2018

+1 Now fails on Debian testing as well. Is there any way to actually fix this instead of adding a note to the docs to use a less secure configuration?

@guyskk guyskk mentioned this issue Aug 5, 2018
Closed
@Syphdias Syphdias mentioned this issue Dec 12, 2018
Merged
@proppy proppy mentioned this issue Dec 17, 2018
Closed
@albertvaka
Copy link

This is a duplicate of #62

@timotheemoulin
Copy link

I was having the same issue because of the new Debian 10 kernel.
To solve this, you must enable vsyscall

Edit the file /etc/default/grub
On the line GRUB_CMDLINE_LINUX_DEFAULT="quiet" add the option vsyscall=emulate at the end. The like should now look like GRUB_CMDLINE_LINUX_DEFAULT="quiet vsyscall=emulate"

Then regenerate the grub file sudo update-grub and reboot your computer.

@terminalmage
Copy link
Author

Yes, this was commented last May as well.

@mwestphal
Copy link

I somehow missed it. Thanks @timotheemoulin @terminalmage and @sgowie for the work around.

Senui pushed a commit to BioDynaMo/paraview-plugin-builder that referenced this issue Feb 26, 2020
@mwestphal
Work around Centos:6 bug by using Centos:7
3a073d2 
Centos:6 does not work with 4.15.* kernel
CentOS/sig-cloud-instance-images#103
@Skeen Skeen mentioned this issue May 13, 2020
Open
@RTimothyEdwards RTimothyEdwards mentioned this issue Jul 26, 2020
Closed
@terminalmage
Copy link
Author

The CentOS 6 image has not been updated in several years (and with EL6 being end-of-life) I doubt it will ever get an update. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@agimenez @terminalmage @albertvaka @timotheemoulin @mwestphal @jperrin @zrhoffman @sgowie