-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/1.2 backport] Pin to libseccomp 2.3.3 #4015
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@crosbymichael @thaJeztah seems that something is missing though:
|
I'm at a loss for why there are CRI test failures based on this PR. I don't see that the same things happened in master when libseccomp was pinned. Any ideas @Random-Liu? |
Looks like it's not a flake. It consistently fails on: |
script/setup/install-seccomp
Outdated
|
||
# | ||
# Builds and installs runc to /usr/local/go/bin based off | ||
# the commit defined in vendor.conf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem like the right comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a mistake in master from the original commit. I just opened a PR to fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah on my phone didn't notice this was a backport.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah on my phone didn't notice this was a backport.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed the comment also. Thanks :)
lib seccomp 2.4 has huge performance regressions. This change pins to 2.3.3 where that is not an issue Signed-off-by: Michael Crosby <crosbymichael@gmail.com> (cherry picked from commit b5f03ea) Signed-off-by: Ciprian Hacman <ciprian.hacman@sematext.com>
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (cherry picked from commit 75d0c5f) Signed-off-by: Ciprian Hacman <ciprian.hacman@sematext.com>
f7c1cbc
to
a7c9b76
Compare
Just to confirm; this holds back the version of libseccomp at compile time, so that the binary produced doesn't use the new |
@thaJeztah that is correct. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
thanks; I know there's been some confusion about this in the past 😅
No problem. Thanks for looking into it. Any thoughts on when a new release could be expected? |
No idea yes, but likely soon, to address #4023 |
Sounds good. Looking forward to see these issues fixed. |
Codecov Report
@@ Coverage Diff @@
## release/1.2 #4015 +/- ##
===============================================
+ Coverage 41% 44.19% +3.18%
===============================================
Files 70 100 +30
Lines 9537 10847 +1310
===============================================
+ Hits 3911 4794 +883
- Misses 5061 5313 +252
- Partials 565 740 +175
Continue to review full report at Codecov.
|
All tests are passing now, after kubernetes-sigs/cri-tools#574 was merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The thirteenth patch release for `containerd` 1.2 fixes a regression introduced in v1.2.12 that caused container/shim to hang on single core machines, fixes an issue with blkio, and updates the Golang runtime to 1.12.17. Notable Updates ---------------------------------- * Fix container pid race condition [containerd#4025](containerd#4025) * Update containerd/cgroups dependency to address blkio issue [containerd#4001](containerd#4001) * Set octet-stream content-type on PUT request [containerd#4028](containerd#4028) * Pin to libseccomp 2.3.3 to preserve compatibility with hosts that do not have libseccomp 2.4 or higher installed [containerd#4015](containerd#4015) * Update Golang runtime to 1.12.17, which includes a fix to the runtime [containerd#4031](containerd#4031) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Besides the fact that lib seccomp 2.4 has huge performance regressions, it also breaks support for older distros like Debian 9 and RHEL/CentOS 7, as discussed in #4008.
This change pins to 2.3.3 where that is not an issue.
Fixes #4008.
(cherry picked from commits b5f03ea and 75d0c5f)
Signed-off-by: Ciprian Hacman ciprian.hacman@sematext.com