Description of problem: Super low priority. Add a new function that can be used by "tech preview" code to taint the kernel and mark it as using a non-production feature. Currently we have none in RHELSA but I suggest someone implement this to have as a reserve. It's a trivial piece of code to port over from RHEL7.
In order to bring the last patch of the user namespaces series (https://bugzilla.redhat.com/show_bug.cgi?id=1271051) from RHEL to RHELSA the mark_tech_preview() functionality has been ported to RHELSA: https://post-office.corp.redhat.com/mailman/private/rharm-kernel-patches/2016-April/msg00452.html
I tested both user namespaces (bug 1271051) and the Tech Preview warning (bug 1330743) simultaneously since they are co-dependent. I used the unshare program from util-linux to start a process in a new user namespace. ::::::::::::: :: Default :: ::::::::::::: User namespaces are disabled by default in the RHEL and RHELSA kernels, so the unshare tool fails, and there are no Tech Preview warnings from the kernel, and the kernel remains untainted. [root@hp-moonshot-03-c01 ~]# uname -r 4.5.0-0.44.el7.aarch64 [root@hp-moonshot-03-c01 ~]# grep -o 'user_namespace[^[:space:]]*' /proc/cmdline [root@hp-moonshot-03-c01 ~]# dmesg | grep -A1 TECH.PREVIEW [root@hp-moonshot-03-c01 ~]# cat /proc/sys/kernel/tainted 0 [root@hp-moonshot-03-c01 ~]# id -u 0 [root@hp-moonshot-03-c01 ~]# unshare --user id -u unshare: unshare failed: Invalid argument [root@hp-moonshot-03-c01 ~]# dmesg | grep -A1 TECH.PREVIEW [root@hp-moonshot-03-c01 ~]# cat /proc/sys/kernel/tainted 0 ::::::::::::::::::::::::::::: :: User Namespaces Enabled :: ::::::::::::::::::::::::::::: Enable user namespaces by adding user_namespace.enable=1 to the kernel command line arguments in the grub config file and reboot. After running the unshare program to create a new user namespace, the kernel logs a warning about user namespaces being a Tech Preview feature, and the kernel is tainted. [root@hp-moonshot-03-c01 ~]# uname -r 4.5.0-0.44.el7.aarch64 [root@hp-moonshot-03-c01 ~]# grep -o 'user_namespace[^[:space:]]*' /proc/cmdline user_namespace.enable=1 [root@hp-moonshot-03-c01 ~]# dmesg | grep -A1 TECH.PREVIEW [root@hp-moonshot-03-c01 ~]# cat /proc/sys/kernel/tainted 0 [root@hp-moonshot-03-c01 ~]# id -u 0 [root@hp-moonshot-03-c01 ~]# unshare --user id -u 65534 [root@hp-moonshot-03-c01 ~]# dmesg | grep -A1 TECH.PREVIEW [ 131.981895] TECH PREVIEW: user namespace may not be fully supported. Please review provided documentation for limitations. [root@hp-moonshot-03-c01 ~]# cat /proc/sys/kernel/tainted 536870912 ::::::::::: :: Extra :: ::::::::::: The same patch set for user namespaces also restricts mount namespaces to privileged users (i.e., root) only (see commit 2c0f08259155 (*)). This can also be verified with the unshare program. [root@hp-moonshot-03-c01 ~]# unshare --mount id -u 0 [root@hp-moonshot-03-c01 ~]# su - test Last login: Wed Jul 6 10:24:16 EDT 2016 on pts/0 [test@hp-moonshot-03-c01 ~]$ unshare --mount id -u unshare: unshare failed: Operation not permitted (*) http://git.app.eng.bos.redhat.com/git/rhelsa7.git/commit/?id=2c0f08259155
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2145.html