https://bugzilla.suse.com/show_bug.cgi?id=1173461 Thorsten Kukuk changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Assignee|kubic-bugs@opensuse.org |rbrown@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c1 --- Comment #1 from Fabian Vogt --- I don't think there is a race. The /tmp subvolume is mounted using /etc/fstab, which is read by systemd-fstab-generator, creating /run/systemd/generator/tmp.mount. microos-tools contains /usr/lib/systemd/system/tmp.mount, which is in a location with lower priority. So if /tmp is in fstab, it should always take precedence. If not, that's a bug. I don't like that a .mount unit is part of a package, this should IMO be done in /etc/fstab instead. By YaST with the installer and in config.sh for image builds. Otherwise we have a system which only boots properly if a "-tools" package is installed. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c3 --- Comment #3 from Thorsten Kukuk --- (In reply to Fabian Vogt from comment #1)

I don't like that a .mount unit is part of a package, this should IMO be done in /etc/fstab instead. By YaST with the installer and in config.sh for image builds.

This makes it impossible for us to fix any problems which may occour for installed systems. I think distribution/system relevant mount points should really come from .mount units and not written by an installer in /etc/fstab. The later one is always making trouble after some time. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c5 --- Comment #5 from Fabian Vogt --- (In reply to Thorsten Kukuk from comment #2)

(In reply to Fabian Vogt from comment #1)

...

Otherwise we have a system which only boots properly if a "-tools" package is installed.

MicroOS works only properly if the tools package is installed ...

AFAICT, only tmp.mount is actually necessary. I propose moving that file into read-only-root-fs, IMO it makes more sense there. That's also used by transactional-server, but as /tmp is currently mounted as subvolume that would be a noop. I propose changing it to tmpfs there as well though. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c7 Richard Brown changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #7 from Richard Brown --- Skelcd SR's otw for MicroOS, Kubic, and Transactional Server on openSUSE Fabian has already taken care of the images Marking bug as fixed -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c9 Fabian Vogt changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |iforster@suse.com Resolution|FIXED |--- --- Comment #9 from Fabian Vogt --- This change completely broke transactional-server: https://openqa.opensuse.org/tests/1326389 It does not have /tmp as subvolume but no tmp.mount from microos-tools either. To fix this, the unit has to be moved to read-only-root-fs (as proposed in comment 5) or the tmp subvol added back. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c10 Fabian Vogt changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |systemd-maintainers@suse.de Flags| |needinfo?(systemd-maintaine | |rs@suse.de) --- Comment #10 from Fabian Vogt --- (In reply to Fabian Vogt from comment #9)

This change completely broke transactional-server: https://openqa.opensuse.org/tests/1326389

It does not have /tmp as subvolume but no tmp.mount from microos-tools either.

To fix this, the unit has to be moved to read-only-root-fs (as proposed in comment 5) or the tmp subvol added back.

@systemd-maintainers: What about having a systemd subpackage (systemd-tmpfs?) which provides tmp.mount in local-fs.target.wants? That way it it's possible to set up /tmp as tmpfs during installation even. There isn't really any reason to make this MicroOS/read-only-root-fs specific. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c11 --- Comment #11 from Thorsten Kukuk --- I thought we agreed on not to change transactional-server yet, only MicroOS to start with. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c13 Fabian Vogt changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kukuk@suse.com Flags| |needinfo?(kukuk@suse.com) --- Comment #13 from Fabian Vogt --- (In reply to Thorsten Kukuk from comment #12)

(In reply to Fabian Vogt from comment #10)

...

@systemd-maintainers: What about having a systemd subpackage (systemd-tmpfs?) which provides tmp.mount in local-fs.target.wants? That way it it's possible to set up /tmp as tmpfs during installation even. There isn't really any reason to make this MicroOS/read-only-root-fs specific.

We need different options in tmp.mount for MicroOS than the systemd variant has. So this will not help us.

Which ones and why? They look very compatible. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c15 Fabian Vogt changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(systemd-maintaine | |rs@suse.de) --- Comment #15 from Fabian Vogt --- (In reply to Thorsten Kukuk from comment #14)

(In reply to Fabian Vogt from comment #13)

...

Which ones and why? They look very compatible.

There are requests for "noexec" and similar stuff. Something which is Ok for a Container Host OS, but I'm pretty sure will create problems on standard systems.

At least noexec would break the current transactional-update self-update mechanism. If at some point in the future MicroOS should have different options for /tmp, that can be achieved with dropins AFAICT. In any case, the change requested from comment 10 can be useful outside of MicroOS as well, it was even requested on the ML. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c17 Franck Bui changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fbui@suse.com Flags|needinfo?(systemd-maintaine | |rs@suse.de) | --- Comment #17 from Franck Bui --- systemd already ships tmp.mount in /usr/share/systemd/ so if anyone wants to switch to tmpfs for /tmp, he just needs to do 'systemctl link /usr/share/systemd/tmp.mount'. Regarding shipping systemd-tmpfs, I would try to avoid that otherwise we will end up with ton of systemd sub packages for just configuring the different systems out there (we have already systemd-logger, and now we're considering shipping a new sub package to just use different time server pools on SUSE and on openSUSE...) -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c19 --- Comment #19 from Ludwig Nussel --- What's needed to go for /tmp on tmpfs in general like upstream systemd would do by default? -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c21 --- Comment #21 from Franck Bui --- (In reply to Ludwig Nussel from comment #19)

What's needed to go for /tmp on tmpfs in general like upstream systemd would do by default?

We would just need to stop moving tmp.mount from /usr/lib/systemd to /usr/share/systemd. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c30 --- Comment #30 from Swamp Workflow Management --- SUSE-SU-2020:2105-1: An update that solves 22 vulnerabilities and has 193 fixes is now available. Category: security (important) Bug References: 1058115,1065729,1071995,1085030,1148868,1152472,1152489,1153274,1154353,1154492,1155518,1155798,1156395,1157169,1158050,1158242,1158265,1158748,1158765,1158983,1159781,1159867,1160947,1161495,1162002,1162063,1162400,1162702,1164648,1164777,1164780,1165211,1165933,1165975,1166985,1167104,1167651,1167773,1168230,1168779,1168838,1168959,1169021,1169094,1169194,1169514,1169681,1169771,1170011,1170284,1170442,1170617,1170774,1170879,1170891,1170895,1171150,1171189,1171191,1171219,1171220,1171246,1171417,1171513,1171529,1171530,1171662,1171688,1171699,1171732,1171739,1171743,1171759,1171828,1171857,1171868,1171904,1171915,1171982,1171983,1171988,1172017,1172046,1172061,1172062,1172063,1172064,1172065,1172066,1172067,1172068,1172069,1172073,1172086,1172095,1172169,1172170,1172201,1172208,1172223,1172342,1172343,1172344,1172365,1172366,1172374,1172391,1172393,1172394,1172453,1172458,1172467,1172484,1172537,1172543,1172687,1172719,1172739,1172751,1172759,1172775,1172781,1172782,1172783,117281 4,1172823,1172841,1172871,1172938,1172939,1172940,1172956,1172983,1172984,1172985,1172986,1172987,1172988,1172989,1172990,1172999,1173060,1173068,1173074,1173085,1173139,1173206,1173271,1173280,1173284,1173428,1173438,1173461,1173514,1173552,1173573,1173625,1173746,1173776,1173817,1173818,1173820,1173822,1173823,1173824,1173825,1173826,1173827,1173828,1173830,1173831,1173832,1173833,1173834,1173836,1173837,1173838,1173839,1173841,1173843,1173844,1173845,1173847,1173849,1173860,1173894,1173941,1174018,1174072,1174116,1174126,1174127,1174128,1174129,1174185,1174244,1174263,1174264,1174331,1174332,1174333,1174345,1174356,1174396,1174398,1174407,1174409,1174411,1174438,1174462,1174513,1174527,1174543,1174627,962849 CVE References: CVE-2019-19462,CVE-2019-20810,CVE-2019-20812,CVE-2020-0305,CVE-2020-10135,CVE-2020-10711,CVE-2020-10732,CVE-2020-10751,CVE-2020-10766,CVE-2020-10767,CVE-2020-10768,CVE-2020-10773,CVE-2020-10781,CVE-2020-12656,CVE-2020-12769,CVE-2020-12771,CVE-2020-12888,CVE-2020-13143,CVE-2020-13974,CVE-2020-14416,CVE-2020-15393,CVE-2020-15780 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 15-SP2 (src): kernel-default-5.3.18-24.9.1 SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src): kernel-default-5.3.18-24.9.1 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): kernel-docs-5.3.18-24.9.2, kernel-obs-build-5.3.18-24.9.1, kernel-preempt-5.3.18-24.9.1, kernel-source-5.3.18-24.9.1, kernel-syms-5.3.18-24.9.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): kernel-default-5.3.18-24.9.1, kernel-default-base-5.3.18-24.9.1.9.2.6, kernel-preempt-5.3.18-24.9.1, kernel-source-5.3.18-24.9.1 SUSE Linux Enterprise High Availability 15-SP2 (src): kernel-default-5.3.18-24.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c32 --- Comment #32 from OBSbugzilla Bot --- This is an autogenerated message for OBS integration: This bug (1173461) was mentioned in https://build.opensuse.org/request/show/830200 Factory / kiwi-templates-JeOS -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1173461 https://bugzilla.suse.com/show_bug.cgi?id=1173461#c35 --- Comment #35 from Swamp Workflow Management --- openSUSE-SU-2021:0242-1: An update that solves 79 vulnerabilities and has 676 fixes is now available. Category: security (moderate) Bug References: 1034995,1040855,1043347,1044120,1044767,1055014,1055117,1055186,1058115,1061843,1065600,1065729,1066382,1071995,1077428,1085030,1094244,1094840,1109695,1115431,1120163,1129923,1133021,1134760,1136666,1138374,1139944,1148868,1149032,1152148,1152457,1152472,1152489,1153274,1154353,1154488,1154492,1154824,1155518,1155798,1156315,1156395,1157169,1158050,1158242,1158265,1158748,1158765,1158775,1158983,1159058,1159781,1159867,1159886,1160388,1160634,1160947,1161099,1161495,1162002,1162063,1162209,1162400,1162702,1163592,1163727,1164648,1164777,1164780,1165211,1165455,1165629,1165692,1165933,1165975,1166146,1166166,1166340,1166965,1166985,1167030,1167104,1167527,1167651,1167657,1167773,1167851,1168230,1168461,1168468,1168779,1168838,1168952,1168959,1169021,1169094,1169194,1169263,1169514,1169681,1169763,1169771,1169790,1169795,1170011,1170139,1170232,1170284,1170415,1170442,1170617,1170621,1170774,1170879,1170891,1170895,1171000,1171068,1171073,1171078,1171117,1171150,1171156,1171189,117119 1,1171218,1171219,1171220,1171236,1171242,1171246,1171285,1171293,1171374,1171390,1171391,1171392,1171417,1171426,1171507,1171513,1171514,1171529,1171530,1171558,1171634,1171644,1171662,1171675,1171688,1171699,1171709,1171730,1171732,1171736,1171739,1171742,1171743,1171759,1171773,1171774,1171775,1171776,1171777,1171778,1171779,1171780,1171781,1171782,1171783,1171784,1171785,1171786,1171787,1171788,1171789,1171790,1171791,1171792,1171793,1171794,1171795,1171796,1171797,1171798,1171799,1171810,1171827,1171828,1171832,1171833,1171834,1171835,1171839,1171840,1171841,1171842,1171843,1171844,1171849,1171857,1171868,1171904,1171915,1171982,1171983,1171988,1172017,1172046,1172061,1172062,1172063,1172064,1172065,1172066,1172067,1172068,1172069,1172073,1172086,1172095,1172108,1172145,1172169,1172170,1172197,1172201,1172208,1172223,1172247,1172317,1172342,1172343,1172344,1172365,1172366,1172374,1172391,1172393,1172394,1172418,1172419,1172453,1172458,1172467,1172484,1172537,1172543,1172687,117 2719,1172733,1172739,1172751,1172757,1172759,1172775,1172781,1172782,1172783,1172814,1172823,1172841,1172871,1172873,1172938,1172939,1172940,1172956,1172963,1172983,1172984,1172985,1172986,1172987,1172988,1172989,1172990,1172999,1173017,1173068,1173074,1173085,1173115,1173139,1173206,1173267,1173271,1173280,1173284,1173428,1173438,1173461,1173468,1173485,1173514,1173552,1173573,1173625,1173746,1173776,1173798,1173813,1173817,1173818,1173820,1173822,1173823,1173824,1173825,1173826,1173827,1173828,1173830,1173831,1173832,1173833,1173834,1173836,1173837,1173838,1173839,1173841,1173843,1173844,1173845,1173847,1173849,1173860,1173894,1173941,1173954,1174002,1174003,1174018,1174026,1174029,1174072,1174098,1174110,1174111,1174116,1174126,1174127,1174128,1174129,1174146,1174185,1174205,1174244,1174263,1174264,1174331,1174332,1174333,1174345,1174356,1174358,1174362,1174387,1174396,1174398,1174407,1174409,1174411,1174438,1174462,1174484,1174486,1174513,1174527,1174625,1174627,1174645,1174689, 1174699,1174737,1174748,1174757,1174762,1174770,1174771,1174777,1174805,1174824,1174825,1174852,1174865,1174880,1174897,1174899,1174906,1174969,1175009,1175010,1175011,1175012,1175013,1175014,1175015,1175016,1175017,1175018,1175019,1175020,1175021,1175052,1175079,1175112,1175116,1175128,1175149,1175175,1175176,1175180,1175181,1175182,1175183,1175184,1175185,1175186,1175187,1175188,1175189,1175190,1175191,1175192,1175195,1175199,1175213,1175232,1175263,1175284,1175296,1175306,1175344,1175345,1175346,1175347,1175367,1175377,1175440,1175480,1175493,1175546,1175550,1175599,1175621,1175654,1175667,1175691,1175718,1175721,1175749,1175768,1175769,1175770,1175771,1175772,1175774,1175775,1175787,1175807,1175834,1175873,1175882,1175898,1175918,1175952,1175995,1175996,1175997,1175998,1175999,1176000,1176001,1176019,1176022,1176038,1176063,1176069,1176109,1176137,1176180,1176200,1176235,1176236,1176237,1176242,1176354,1176357,1176358,1176359,1176360,1176361,1176362,1176363,1176364,1176365,11763 66,1176367,1176381,1176396,1176400,1176423,1176449,1176481,1176485,1176486,1176507,1176536,1176537,1176538,1176539,1176540,1176541,1176542,1176543,1176544,1176545,1176546,1176548,1176558,1176559,1176564,1176586,1176587,1176588,1176659,1176698,1176699,1176700,1176713,1176721,1176722,1176725,1176732,1176763,1176775,1176788,1176789,1176833,1176855,1176869,1176877,1176907,1176925,1176942,1176956,1176962,1176979,1176980,1176983,1176990,1177021,1177030,1177066,1177070,1177086,1177090,1177109,1177121,1177193,1177194,1177206,1177258,1177271,1177281,1177283,1177284,1177285,1177286,1177297,1177326,1177353,1177384,1177397,1177410,1177411,1177470,1177500,1177511,1177617,1177666,1177679,1177681,1177683,1177687,1177694,1177697,1177698,1177703,1177719,1177724,1177725,1177726,1177733,1177739,1177749,1177750,1177754,1177755,1177765,1177766,1177799,1177801,1177814,1177817,1177820,1177854,1177855,1177856,1177861,1178002,1178049,1178079,1178123,1178166,1178173,1178175,1178176,1178177,1178182,1178183,11 78184,1178185,1178186,1178190,1178191,1178203,1178227,1178246,1178255,1178270,1178286,1178307,1178330,1178393,1178395,1178401,1178426,1178461,1178579,1178581,1178584,1178585,1178589,1178590,1178612,1178634,1178635,1178653,1178659,1178660,1178661,1178669,1178686,1178740,1178755,1178756,1178762,1178780,1178838,1178853,1178886,1179001,1179012,1179014,1179015,1179045,1179076,1179082,1179107,1179140,1179141,1179160,1179201,1179204,1179211,1179217,1179419,1179424,1179425,1179426,1179427,1179429,1179432,1179434,1179435,1179442,1179519,1179550,1179575,1179578,1179601,1179604,1179639,1179652,1179656,1179670,1179671,1179672,1179673,1179675,1179676,1179677,1179678,1179679,1179680,1179681,1179682,1179683,1179684,1179685,1179687,1179688,1179689,1179690,1179703,1179704,1179707,1179709,1179710,1179711,1179712,1179713,1179714,1179715,1179716,1179745,1179763,1179887,1179888,1179892,1179896,1179960,1179963,1180027,1180029,1180031,1180052,1180056,1180086,1180117,1180258,1180261,1180349,1180506,1180541 ,1180559,1180566,173030,744692,789311,954532,995541 CVE References: CVE-2019-19462,CVE-2019-20810,CVE-2019-20812,CVE-2020-0110,CVE-2020-0305,CVE-2020-0404,CVE-2020-0427,CVE-2020-0431,CVE-2020-0432,CVE-2020-0444,CVE-2020-0465,CVE-2020-0466,CVE-2020-0543,CVE-2020-10135,CVE-2020-10711,CVE-2020-10732,CVE-2020-10751,CVE-2020-10757,CVE-2020-10766,CVE-2020-10767,CVE-2020-10768,CVE-2020-10773,CVE-2020-10781,CVE-2020-11668,CVE-2020-12351,CVE-2020-12352,CVE-2020-12652,CVE-2020-12656,CVE-2020-12769,CVE-2020-12771,CVE-2020-12888,CVE-2020-13143,CVE-2020-13974,CVE-2020-14314,CVE-2020-14331,CVE-2020-14351,CVE-2020-14356,CVE-2020-14385,CVE-2020-14386,CVE-2020-14390,CVE-2020-14416,CVE-2020-15393,CVE-2020-15436,CVE-2020-15437,CVE-2020-15780,CVE-2020-16120,CVE-2020-16166,CVE-2020-1749,CVE-2020-24490,CVE-2020-2521,CVE-2020-25212,CVE-2020-25284,CVE-2020-25285,CVE-2020-25641,CVE-2020-25643,CVE-2020-25645,CVE-2020-25656,CVE-2020-25668,CVE-2020-25669,CVE-2020-25704,CVE-2020-25705,CVE-2020-26088,CVE-2020-27068,CVE-2020-27777,CVE-2020-27786,CVE-2020-27825,CVE-2020-27830,CVE-2 020-28915,CVE-2020-28941,CVE-2020-28974,CVE-2020-29369,CVE-2020-29370,CVE-2020-29371,CVE-2020-29373,CVE-2020-29660,CVE-2020-29661,CVE-2020-36158,CVE-2020-4788,CVE-2020-8694 JIRA References: Sources used: openSUSE Leap 15.2 (src): kernel-rt-5.3.18-lp152.3.5.1, kernel-rt_debug-5.3.18-lp152.3.5.1, kernel-source-rt-5.3.18-lp152.3.5.1, kernel-syms-rt-5.3.18-lp152.3.5.1 -- You are receiving this mail because: You are on the CC list for the bug.