Bug 1330743

Summary: Add mark_tech_preview interface in RHELSA kernel
Product: Red Hat Enterprise Linux 7 Reporter: Jon Masters <jcm>
Component: kernel-aarch64Assignee: Adrian Reber <areber>
kernel-aarch64 sub component: RFEs QA Contact: Jeff Bastian <jbastian>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: unspecified CC: areber, jcm, jfeeney, mlangsdo
Version: 7.4   
Target Milestone: rc   
Target Release: ---   
Hardware: aarch64   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-aarch64-4.5.0-0.35.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 22:39:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jon Masters 2016-04-26 20:45:26 UTC 
Description of problem:

Super low priority. Add a new function that can be used by "tech preview" code to taint the kernel and mark it as using a non-production feature. Currently we have none in RHELSA but I suggest someone implement this to have as a reserve. It's a trivial piece of code to port over from RHEL7.
Comment 2 Adrian Reber 2016-04-28 06:37:26 UTC 
In order to bring the last patch of the user namespaces series (https://bugzilla.redhat.com/show_bug.cgi?id=1271051) from RHEL to RHELSA the mark_tech_preview() functionality has been ported to RHELSA:

https://post-office.corp.redhat.com/mailman/private/rharm-kernel-patches/2016-April/msg00452.html
Comment 4 Jeff Bastian 2016-07-06 15:18:53 UTC 
I tested both user namespaces (bug 1271051) and the Tech Preview warning (bug 1330743) simultaneously since they are co-dependent.  I used the unshare program from util-linux to start a process in a new user namespace.

:::::::::::::
:: Default ::
:::::::::::::

User namespaces are disabled by default in the RHEL and RHELSA kernels, so the unshare tool fails, and there are no Tech Preview warnings from the kernel, and the kernel remains untainted.

[root@hp-moonshot-03-c01 ~]# uname -r
4.5.0-0.44.el7.aarch64
[root@hp-moonshot-03-c01 ~]# grep -o 'user_namespace[^[:space:]]*' /proc/cmdline
[root@hp-moonshot-03-c01 ~]# dmesg | grep -A1 TECH.PREVIEW
[root@hp-moonshot-03-c01 ~]# cat /proc/sys/kernel/tainted
0
[root@hp-moonshot-03-c01 ~]# id -u
0
[root@hp-moonshot-03-c01 ~]# unshare --user id -u
unshare: unshare failed: Invalid argument
[root@hp-moonshot-03-c01 ~]# dmesg | grep -A1 TECH.PREVIEW
[root@hp-moonshot-03-c01 ~]# cat /proc/sys/kernel/tainted
0

:::::::::::::::::::::::::::::
:: User Namespaces Enabled ::
:::::::::::::::::::::::::::::

Enable user namespaces by adding user_namespace.enable=1 to the kernel command line arguments in the grub config file and reboot.  After running the unshare program to create a new user namespace, the kernel logs a warning about user namespaces being a Tech Preview feature, and the kernel is tainted.

[root@hp-moonshot-03-c01 ~]# uname -r
4.5.0-0.44.el7.aarch64
[root@hp-moonshot-03-c01 ~]# grep -o 'user_namespace[^[:space:]]*' /proc/cmdline
user_namespace.enable=1
[root@hp-moonshot-03-c01 ~]# dmesg | grep -A1 TECH.PREVIEW
[root@hp-moonshot-03-c01 ~]# cat /proc/sys/kernel/tainted
0
[root@hp-moonshot-03-c01 ~]# id -u
0
[root@hp-moonshot-03-c01 ~]# unshare --user id -u
65534
[root@hp-moonshot-03-c01 ~]# dmesg | grep -A1 TECH.PREVIEW
[  131.981895] TECH PREVIEW: user namespace may not be fully supported.
Please review provided documentation for limitations.
[root@hp-moonshot-03-c01 ~]# cat /proc/sys/kernel/tainted
536870912

:::::::::::
:: Extra ::
:::::::::::

The same patch set for user namespaces also restricts mount namespaces to privileged users (i.e., root) only (see commit 2c0f08259155 (*)).  This can also be verified with the unshare program.

[root@hp-moonshot-03-c01 ~]# unshare --mount id -u
0
[root@hp-moonshot-03-c01 ~]# su - test
Last login: Wed Jul  6 10:24:16 EDT 2016 on pts/0
[test@hp-moonshot-03-c01 ~]$ unshare --mount id -u
unshare: unshare failed: Operation not permitted

(*) http://git.app.eng.bos.redhat.com/git/rhelsa7.git/commit/?id=2c0f08259155
Comment 6 errata-xmlrpc 2016-11-03 22:39:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2145.html