All Products
Search
Document Center

:A segfault error occurs when the ECS instances of the Alibaba Cloud Linux 2 system are running Docker images of earlier versions

更新時間:Aug 28, 2020

Disclaimer: this document may contain information about third-party products that are for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

Problem Description

A "segfault" error is returned when an ECS instance that meets the following conditions is running an earlier Docker image.

  • Image: aliyun-2.1903-x64-20G-alibase-20190327.vhd and all images after that.
  • Kernel: kernel-4.19.24-9.al7 and all later kernel versions.

The specific error information is as follows.

bash[2299] vsyscall attempted with vsyscall=none ip:ffffffffff600400 cs:33 sp:7ffd1b965a48 ax:ffffffffff600400 si:7ffd1b965f5c di:0
bash[2299] segfault at ffffffffff600400 ip ffffffffff600400 sp 00007ffd1b965a48 error 15
Code: Bad RIP value.

Cause of problem

vsyscall and vDSO are two mechanisms in the kernel for accelerating specific system calls. The introduction is as follows. Docker images of version glibc earlier than 2.14 use the vsyscall mechanism instead of the vDSO mechanism. For more information, see on vsyscalls and the vDSO.

  • vsyscall exposes many security risks, so vDSO is recommended in newer operating systems.
  • vDSO provides simulation compatibility with vsyscall, but it will significantly affect the performance of the application.

Solution

Alibaba Cloud reminds you that:

  • If you have any risky operations on an instance or data, pay attention to the disaster tolerance and fault tolerance capabilities of the instance to ensure data security.
  • If you modify the configuration and data of an instance (including but not limited to ECS and RDS), we recommend that you create snapshots or enable RDS log backup.
  • If you have granted permissions on the Alibaba Cloud platform or submitted security information such as the logon account and password, we recommend that you modify the information as soon as possible.

Temporary solution

Run the following commands in sequence on the ECS instance to set vsyscall to the merge mode and restart the operating system:

Note: modifying the vsyscall mode and restarting the operating system are risky operations. Before you perform these operations, create a snapshot and back up your data to ensure data security.

sudo grubby --update-kernel="/boot/vmlinuz-$(uname -r)" --args="vsyscall=emulate"
sudo reboot

Note: If this scheme is used, the application performance in the container may decline.

Fixed solution

Check whether the version of glibc in the Docker image is earlier than 2.14. If yes, upgrade glibc in the Docker image. If you use images created based on distributions such as CentOS and RHEL, we recommend that you use CentOS 7, RHEL 7, or later.

Applicable to

  • Elastic Compute Service