Disclaimer: this document may contain information about third-party products that are for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.
A "segfault" error is returned when an ECS instance that meets the following conditions is running an earlier Docker image.
aliyun-2.1903-x64-20G-alibase-20190327.vhdand all images after that.
kernel-4.19.24-9.al7and all later kernel versions.
The specific error information is as follows.
bash vsyscall attempted with vsyscall=none ip:ffffffffff600400 cs:33 sp:7ffd1b965a48 ax:ffffffffff600400 si:7ffd1b965f5c di:0 bash segfault at ffffffffff600400 ip ffffffffff600400 sp 00007ffd1b965a48 error 15 Code: Bad RIP value.
Cause of problem
vsyscall and vDSO are two mechanisms in the kernel for accelerating specific system calls. The introduction is as follows. Docker images of version glibc earlier than 2.14 use the vsyscall mechanism instead of the vDSO mechanism. For more information, see on vsyscalls and the vDSO.
- vsyscall exposes many security risks, so vDSO is recommended in newer operating systems.
- vDSO provides simulation compatibility with vsyscall, but it will significantly affect the performance of the application.
Alibaba Cloud reminds you that:
- If you have any risky operations on an instance or data, pay attention to the disaster tolerance and fault tolerance capabilities of the instance to ensure data security.
- If you modify the configuration and data of an instance (including but not limited to ECS and RDS), we recommend that you create snapshots or enable RDS log backup.
- If you have granted permissions on the Alibaba Cloud platform or submitted security information such as the logon account and password, we recommend that you modify the information as soon as possible.
Run the following commands in sequence on the ECS instance to set vsyscall to the merge mode and restart the operating system:
Note: modifying the vsyscall mode and restarting the operating system are risky operations. Before you perform these operations, create a snapshot and back up your data to ensure data security.
sudo grubby --update-kernel="/boot/vmlinuz-$(uname -r)" --args="vsyscall=emulate" sudo reboot
Note: If this scheme is used, the application performance in the container may decline.
Check whether the version of glibc in the Docker image is earlier than 2.14. If yes, upgrade glibc in the Docker image. If you use images created based on distributions such as CentOS and RHEL, we recommend that you use CentOS 7, RHEL 7, or later.
- Elastic Compute Service