From c1ad5e130323d290faba18cf09c4104437cb0a19 Mon Sep 17 00:00:00 2001 From: Shaun Gowie Date: Thu, 3 May 2018 14:07:51 -0600 Subject: [PATCH 1/4] Provides information around handling kernels with vsyscall disabled --- centos/content.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/centos/content.md b/centos/content.md index 105630445..ef642590f 100644 --- a/centos/content.md +++ b/centos/content.md @@ -82,3 +82,26 @@ $ docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-h ``` This container is running with systemd in a limited context, with the cgroups filesystem mounted. There have been reports that if you're using an Ubuntu host, you will need to add `-v /tmp/$(mktemp -d):/run` in addition to the cgroups mount. + +## A note about vsyscall + +Legacy CentOS binaries and/or libraries are built to expect some system calls to be accessed via `vsyscall` mappings. Some linux distributions have opted to disable `vsyscall` entirely (opting exclusively for more secure `vdso` mappings), causing segmentation faults. + +If running `docker run --rm -it centos:centos6.7 bash` immediately exits with status code `139`, check to see if your system has disabled vsyscall: + +``` +$ cat /proc/self/maps | egrep 'vdso|vsyscall' +7fffccfcc000-7fffccfce000 r-xp 00000000 00:00 0 [vdso] +$ +``` + +vs +``` +$ cat /proc/self/maps | egrep 'vdso|vsyscall' +7fffe03fe000-7fffe0400000 r-xp 00000000 00:00 0 [vdso] +ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] +``` + +If you do not see a `vsyscall` mapping, and you need to run a legacy CentOS container, try adding `vsyscall=emulated` to the kernel options in your bootloader + +Further reading : [lwn.net](https://lwn.net/Articles/446528/) \ No newline at end of file From 6fc8364df03836f1a49d4d2c5b924e10196236b9 Mon Sep 17 00:00:00 2001 From: Shaun Gowie Date: Thu, 3 May 2018 14:59:01 -0600 Subject: [PATCH 2/4] changes vocabulary from "Legacy CentOS" to "CentOS 6" --- centos/content.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/centos/content.md b/centos/content.md index ef642590f..b551ba63d 100644 --- a/centos/content.md +++ b/centos/content.md @@ -85,7 +85,7 @@ This container is running with systemd in a limited context, with the cgroups fi ## A note about vsyscall -Legacy CentOS binaries and/or libraries are built to expect some system calls to be accessed via `vsyscall` mappings. Some linux distributions have opted to disable `vsyscall` entirely (opting exclusively for more secure `vdso` mappings), causing segmentation faults. +CentOS 6 binaries and/or libraries are built to expect some system calls to be accessed via `vsyscall` mappings. Some linux distributions have opted to disable `vsyscall` entirely (opting exclusively for more secure `vdso` mappings), causing segmentation faults. If running `docker run --rm -it centos:centos6.7 bash` immediately exits with status code `139`, check to see if your system has disabled vsyscall: @@ -104,4 +104,4 @@ ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsysca If you do not see a `vsyscall` mapping, and you need to run a legacy CentOS container, try adding `vsyscall=emulated` to the kernel options in your bootloader -Further reading : [lwn.net](https://lwn.net/Articles/446528/) \ No newline at end of file +Further reading : [lwn.net](https://lwn.net/Articles/446528/) From 2c6fbae55474a292509c61e1945609055733378e Mon Sep 17 00:00:00 2001 From: Shaun Gowie Date: Thu, 3 May 2018 15:19:05 -0600 Subject: [PATCH 3/4] Adds codeblock formatting --- centos/content.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/centos/content.md b/centos/content.md index b551ba63d..365315a85 100644 --- a/centos/content.md +++ b/centos/content.md @@ -89,14 +89,15 @@ CentOS 6 binaries and/or libraries are built to expect some system calls to be a If running `docker run --rm -it centos:centos6.7 bash` immediately exits with status code `139`, check to see if your system has disabled vsyscall: -``` +```console $ cat /proc/self/maps | egrep 'vdso|vsyscall' 7fffccfcc000-7fffccfce000 r-xp 00000000 00:00 0 [vdso] $ ``` vs -``` + +```console $ cat /proc/self/maps | egrep 'vdso|vsyscall' 7fffe03fe000-7fffe0400000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] @@ -104,4 +105,4 @@ ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsysca If you do not see a `vsyscall` mapping, and you need to run a legacy CentOS container, try adding `vsyscall=emulated` to the kernel options in your bootloader -Further reading : [lwn.net](https://lwn.net/Articles/446528/) +Further reading : [lwn.net](https://lwn.net/Articles/446528/) \ No newline at end of file From 3b0ee85e983ad1a9bcd953910ef2939b89681b8d Mon Sep 17 00:00:00 2001 From: Shaun Gowie Date: Thu, 3 May 2018 15:26:56 -0600 Subject: [PATCH 4/4] Removes errant space, adds newline at the end of the file. --- centos/content.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/centos/content.md b/centos/content.md index 365315a85..69710d6b3 100644 --- a/centos/content.md +++ b/centos/content.md @@ -85,7 +85,7 @@ This container is running with systemd in a limited context, with the cgroups fi ## A note about vsyscall -CentOS 6 binaries and/or libraries are built to expect some system calls to be accessed via `vsyscall` mappings. Some linux distributions have opted to disable `vsyscall` entirely (opting exclusively for more secure `vdso` mappings), causing segmentation faults. +CentOS 6 binaries and/or libraries are built to expect some system calls to be accessed via `vsyscall` mappings. Some linux distributions have opted to disable `vsyscall` entirely (opting exclusively for more secure `vdso` mappings), causing segmentation faults. If running `docker run --rm -it centos:centos6.7 bash` immediately exits with status code `139`, check to see if your system has disabled vsyscall: @@ -105,4 +105,4 @@ ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsysca If you do not see a `vsyscall` mapping, and you need to run a legacy CentOS container, try adding `vsyscall=emulated` to the kernel options in your bootloader -Further reading : [lwn.net](https://lwn.net/Articles/446528/) \ No newline at end of file +Further reading : [lwn.net](https://lwn.net/Articles/446528/)