workaround(azurelinux-release): bind-mount /proc/version for CBL-Mariner compat#16446
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds an Azure Linux–side workaround to preserve compatibility with legacy tooling that greps /proc/version for “Mariner”, by generating a modified version string at boot and bind-mounting it over /proc/version in VM environments.
Changes:
- Add a
proc-version-overrideoneshot systemd service and helper script that generates and bind-mounts an override for/proc/version. - Ship and enable the new unit by default via the
azurelinux-releasepackage (spec + systemd preset updates). - Bump
azurelinux-releaseReleaseand add a changelog entry.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| base/comps/azurelinux-release/proc-version-override.sh | Adds script to generate an override string and bind-mount it over /proc/version. |
| base/comps/azurelinux-release/proc-version-override.service | Adds oneshot unit intended to run early in VMs and manage the bind mount lifecycle. |
| base/comps/azurelinux-release/azurelinux-release.spec | Packages the new unit + script and bumps release/changelog. |
| base/comps/azurelinux-release/90-default.preset | Enables the new service by default via presets. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
christopherco
left a comment
christopherco
left a comment
There was a problem hiding this comment.
Had a general suggestion for an alternate pattern, but overall this workaround does work for us. 
| install -m 0444 /dev/null "$OVERRIDE" | ||
| cat > "$OVERRIDE" <<EOF | ||
| Linux version ${KVER} (root@CBL-Mariner-azurelinux) ${TAIL} | ||
| EOF | ||
| chmod 0444 "$OVERRIDE" |
There was a problem hiding this comment.
suggestion (non-blocking): While this will work as a workaround for the issue we are facing, keep in mind a different pattern to write to a temp file, do an atomic move operation, then chmod 444 the final file. Readers reading the $OVERRIDE while it is being written could read partial content. Not an issue here since this one-shot service will run well before the guest extension runs, but something to keep in mind for future
|
Actually, checking the commits, these need to be squashed into 1 commit so the final merged git history looks proper after the rebase-merge. I'll handle that |
…ner compat Extensions grep /proc/version for "Mariner" to detect the OS. AZL no longer includes that string since it builds with Fedora's kernel toolchain. Add a systemd oneshot service that generates a /proc/version override at boot, replacing the user@host field with "root@CBL-Mariner-azurelinux", and bind-mounts it over /proc/version. This preserves the real kernel version, compiler string, and build timestamp while satisfying legacy detection logic. The service runs early (before walinuxagent and cloud-init) and only activates inside VMs (ConditionVirtualization=vm). Hardened proc-version-override service: - Fix shebang to #!/bin/bash for portability - Add idempotent mount handling: unwind stacked mounts with while-findmnt loop before rebinding - Make override file read-only (0444) and remount bind as ro - Use dash-prefixed ExecStop/ExecStopPost for robust cleanup on stop (umount + rm override file)
christopherco
force-pushed
the
rlmenge/tomls/proc-version
branch
from
8e3732d to
91fad25
Compare
|
Apologies for the late comment, did not see this go by. While the bind mount mechanism works it is rather kludgy. There is an accepted upstream method to do this via KBUILD_BUILD_USER and KBUILD_BUILD_HOST. Maybe this was discussed and we had reasons to not use them. In that case I would first try patching https://www.kernel.org/doc/html/latest/kbuild/reproducible-builds.html is a good reference. |
We briefly touched on this KBuild method initially, specifically debating whether we should temporarily hardcode our kernel build string, or do a per-app bind-mount method. We ended up going with the bind-mount method because /proc/version is currently outputting the proper information about the actual builder environment that the kernel is built in, and that is the correct behavior. Certain software that is scraping /proc/version and changing their logic based on string search of specific key words ("Mariner" in this case) in the builder information is what really needs to be updated, as that software shouldn't condition code paths based on non-deterministic kernel build-host information. That being said, we were hoping to bind-mount at a per-app level, rather than system-wide, to allow non-misbehaving software to actually see the correct /proc/version. Since we ended up going with a system-wide method due to late-found impracticalities of the per-app method, we should re-evaluate just setting KBUILD_BUILD_HOST and removing the bind-mount kludge for better consistency. Will discuss it this week. cc: @rlmenge |
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
Extensions grep /proc/version for "Mariner" to detect the OS. AZL no longer includes that string since it builds with Fedora's kernel toolchain.
Add a systemd oneshot service that generates a /proc/version override at boot, replacing the user@host field with "root@CBL-Mariner-azurelinux", and bind-mounts it over /proc/version. This preserves the real kernel version, compiler string, and build timestamp while satisfying legacy detection logic.
The service runs early (before walinuxagent and cloud-init) and only activates inside VMs (ConditionVirtualization=vm).
Change Log
Associated issues
Test Methodology