-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/1.2 backport] backport exec fixes #3755
[release/1.2 backport] backport exec fixes #3755
Conversation
Closes containerd#3286 This and a combination of a couple Docker changes are needed to fully resolve the issue on the Docker side. However, this ensures that after processes exit, we still leave some time for the I/O to fully flush before closing. Without this timeout, the delete methods would block forever. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> (cherry picked from commit 2450522) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Closes containerd#2832 Signed-off-by: Michael Crosby <crosbymichael@gmail.com> (cherry picked from commit 719a2c5) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Temporarily marked as "WIP", because the first two backports were not marked for backporting, so I want to be sure they look reasonable for backporting to this branch. I'll remove "WIP" if they are ok, and non-risky to backport ping @Random-Liu @crosbymichael @estesp PTAL |
Keeping as "WIP" per a discussion on Slack with Michael Crosby;
|
Signed-off-by: Lantao Liu <lantaol@google.com> (cherry picked from commit 18be6e3) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
5189864
to
0877136
Compare
We don't see obvious test failures caused by that change in HEAD. It seems safe to cherrypick. |
removed "WIP" @crosbymichael @dmcgowan PTAL |
LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Codecov Report
@@ Coverage Diff @@
## release/1.2 #3755 +/- ##
============================================
Coverage 44.19% 44.19%
============================================
Files 100 100
Lines 10847 10847
============================================
Hits 4794 4794
Misses 5313 5313
Partials 740 740
Continue to review full report at Codecov.
|
Don't merge yet; discussing with @crosbymichael, and he's still on the fence on backporting this one in a patch release |
Assuming this does not get backported to 1.2 - when is a rough estimate for when a containerd with the fix will get released? (We are within last 2 hardening sprints before a product release, and had hoped - maybe naively - that we could get this fix in) |
I'm not a maintainer, but from the quick chats I had with @crosbymichael, the main concern was that there may be risk involved in this patch (or at least, it should be battle tested). Which brings us in a bit of a chicken & egg situation; to get the patch widely tested, ideally there would be packages for people to test (beyond the automated tests in this repository and the kubernetes test suites). There's been a proposal (and implementation) to have "nightly" builds of containerd (see #3702, and https://github.com/kind-ci/containerd-nightlies/releases), which would have this patch, but the master branch has progressed quite a bit since 1.2.x, so (without having looked closely how much this particular codepath has diverged) no guarantees that it works equally well on the 1.2 codebase. I'm open to suggestions on how to move this forward; perhaps a runtime options (env var?) to enable/disable this could be considered, but that's just thinking out loud 😂 |
LGTM |
Just wanted to update you that this (git build after merge) did indeed fix the high CPU issue we were experiencing. |
* Update the runc vendor to v1.0.0-rc10 which includes a mitigation for [CVE-2019-19921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19921). * Update the opencontainers/selinux which includes a mitigation for [CVE-2019-16884](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884). * Update Golang runtime to 1.12.16, mitigating the [CVE-2020-0601](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601) certificate verification bypass on Windows, and [CVE-2020-7919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7919), which only affects 32-bit architectures. * Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14, Go 1.12.15) and and the `net/http` package (Go 1.12.15) * A fix to prevent `SIGSEGV` when starting containerd-shim [containerd#3960](containerd#3960) * Fixes to `exec` [containerd#3755](containerd#3755) - Prevent `docker exec` hanging if an earlier `docker exec` left a zombie process - Prevent High system load/CPU utilization with liveness and readiness probes - Prevent Docker healthcheck causing high CPU utilization * CRI fixes: - Update the `gopkg.in/yaml.v2` vendor to v2.2.8 with a mitigation for [CVE-2019-11253](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11253) * API - Fix API filters to properly handle and return parse errors [containerd#3950](containerd#3950) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: containerd/containerd@v1.2.11...v1.2.12 Welcome to the v1.2.12 release of containerd! The twelfth patch release for containerd 1.2 includes an updated runc with a fix for CVE-2019-19921, an updated version of the opencontainers/selinux dependency, which includes a fix for CVE-2019-16884, an updated version of the gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update. Notable Updates - Update the runc vendor to v1.0.0-rc10 which includes a mitigation for CVE-2019-19921. - Update the opencontainers/selinux which includes a mitigation for CVE-2019-16884. - Update Golang runtime to 1.12.16, mitigating the CVE-2020-0601 certificate verification bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures. - Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14, Go 1.12.15) and and the net/http package (Go 1.12.15) - A fix to prevent SIGSEGV when starting containerd-shim containerd/containerd#3960 - Fixes to exec containerd/containerd#3755 - Prevent docker exec hanging if an earlier docker exec left a zombie process - Prevent High system load/CPU utilization with liveness and readiness probes - Prevent Docker healthcheck causing high CPU utilization CRI fixes: - Update the gopkg.in/yaml.v2 vendor to v2.2.8 with a mitigation for CVE-2019-11253 API - Fix API filters to properly handle and return parse errors containerd/containerd#3950 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: containerd/containerd@v1.2.11...v1.2.12 Welcome to the v1.2.12 release of containerd! The twelfth patch release for containerd 1.2 includes an updated runc with a fix for CVE-2019-19921, an updated version of the opencontainers/selinux dependency, which includes a fix for CVE-2019-16884, an updated version of the gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update. Notable Updates - Update the runc vendor to v1.0.0-rc10 which includes a mitigation for CVE-2019-19921. - Update the opencontainers/selinux which includes a mitigation for CVE-2019-16884. - Update Golang runtime to 1.12.16, mitigating the CVE-2020-0601 certificate verification bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures. - Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14, Go 1.12.15) and and the net/http package (Go 1.12.15) - A fix to prevent SIGSEGV when starting containerd-shim containerd/containerd#3960 - Fixes to exec containerd/containerd#3755 - Prevent docker exec hanging if an earlier docker exec left a zombie process - Prevent High system load/CPU utilization with liveness and readiness probes - Prevent Docker healthcheck causing high CPU utilization CRI fixes: - Update the gopkg.in/yaml.v2 vendor to v2.2.8 with a mitigation for CVE-2019-11253 API - Fix API filters to properly handle and return parse errors containerd/containerd#3950 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: f8cfa7947cd0a2750bd0b4ebf616044a98a07a24 Component: engine
Backports of:
runc state
. #3711 Use cached state instead ofrunc state
First two cherry-picks were clean:
Last cherry-pick didn't apply clean:
This was because #3085 (Shim pluggable logging) and #3374 (Refactor runtime package for code usage) are not in the 1.2 branch,
and respectively changed
runc.IO ->
*processIO, and
proc.Platform->
stdio.Platform`: