-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/1.1 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 #3083
[release/1.1 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 #3083
Conversation
This includes an improved fix for CVE-2019-5736 to reduce the increased memory-consumption introduced by the original patch, RHEL 7.6 getting into a loop due to a kernel bug in those kernels, and improve compatibility with older kernels. changes included: - opencontainers/runc#1973 Vendor opencontainers/runtime-spec 29686dbc - opencontainers/runc#1978 Remove detection for scope properties, which have always been broken - opencontainers/runc#1963 Vendor in go-criu and use it for CRIU's RPC definition - opencontainers/runc#1995 exec: expose --preserve-fds - opencontainers/runc#2000 fix preserve-fds flag may cause runc hang - opencontainers/runc#1968 Create bind mount mountpoints during restore - opencontainers/runc#1984 nsenter: cloned_binary: "memfd" cleanups Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b8d40b3) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@@ -1,8 +1,9 @@ | |||
# OCI runtime-spec. When updating this, make sure you use a version tag rather | |||
# than a commit ID so it's much more obvious what version of the spec we are | |||
# using. | |||
github.com/opencontainers/runtime-spec 5684b8af48c1ac3b1451fa499724e30e3c20a294 | |||
github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we want the vendored version to match this one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it makes sense to use the runtime-spec that matches runc; IMO
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, I'll update this PR, and update that as well, thanks!
how tightly coupled other dependencies are to the version of runc; going through history when the runtime-spec was updated (to double-check if local changes are needed for specific bumps), I arrived at #2500 as the first bump since the 1.1 release; that one also updates |
Codecov Report
@@ Coverage Diff @@
## release/1.1 #3083 +/- ##
============================================
Coverage 49.07% 49.07%
============================================
Files 85 85
Lines 7598 7598
============================================
Hits 3729 3729
Misses 3194 3194
Partials 675 675
Continue to review full report at Codecov.
|
@crosbymichael could you help with this? I was discussing with @estesp but we both weren't sure if those should be updated here as well |
match them |
You probably don't want to backport this yet -- I just realised the bind-mount approach isn't fool-proof. I'm working on a follow-up patch that should be ready soon. |
Thanks, I just saw your comment; let me mark this one WIP |
You can drop the WIP -- I've closed opencontainers/runc#2006 after deciding that running CAP_SYS_ADMIN (in a non-userns container with AppArmor disabled) was always unsafe and it makes no sense to block a working fix based on that. |
Hey @thaJeztah; sounds like we can go ahead with this, but I guess at this point you should do the vendor update per @crosbymichael's comment about keeping them in sync. Thanks! |
Ahm yes, didn't finish that yet; let me make some time to finish the vendoring 🤗 |
Signed-off-by: Michael Crosby <crosbymichael@gmail.com> (cherry picked from commit 5a0b040) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Madhan Raj Mookkandy <madhanm@microsoft.com> (cherry picked from commit 744d93e) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: John Howard <jhoward@microsoft.com> (cherry picked from commit 98766e8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
backport of #3081
This includes an improved fix for CVE-2019-5736 to reduce the
increased memory-consumption introduced by the original patch,
RHEL 7.6 getting into a loop due to a kernel bug in those kernels,
and improve compatibility with older kernels.
changes included:
Signed-off-by: Sebastiaan van Stijn github@gone.nl
(cherry picked from commit b8d40b3)
Signed-off-by: Sebastiaan van Stijn github@gone.nl