Skip to content
This repository has been archived by the owner on Oct 13, 2023. It is now read-only.

[18.09 backport] update containerd 1.2.10, runc v1.0.0-rc8-92-g84373aaa (CVE-2019-16884) #386


Copy link

@thaJeztah thaJeztah commented Sep 27, 2019

backports of:

closes #283 [18.09 backport] Update containerd to v1.2.8
closes #367 [18.09 backport] Update containerd to v1.2.9

part of ENGCORE-1064
fixes ENGCORE-1066

Update containerd to v1.2.10

The tenth patch release for containerd 1.2 includes only one main bug fix in the
CRI plugin, but includes updated vendors/build runtimes that fix 2 reported CVEs in
runc and the Golang 1.12 runtime respectively.

Notable Updates

Update runc to v1.0.0-rc8-92-g84373aaa (CVE-2019-16884)

full diff: opencontainers/runc@v1.0.0-rc8...3e425f8

thaJeztah and others added 5 commits September 27, 2019 16:31
From the release notes:

> Welcome to the v1.2.7 release of containerd!
> The seventh patch release for containerd 1.2 introduces OCI image
> descriptor annotation support and contains fixes for containerd shim logs,
> container stop/deletion, cri plugin and selinux.
> It also contains several important bug fixes for goroutine and file
> descriptor leakage in containerd and containerd shims.
> Notable Updates
> - Support annotations in the OCI image descriptor, and filtering image by annotations. containerd/containerd#3254
> - Support context timeout in ttrpc which can help avoid containerd hangs when a shim is unresponsive. containerd/ttrpc#31
> - Fix a bug that containerd shim leaks goroutine and file descriptor after containerd restarts. containerd/ttrpc#37
> - Fix a bug that a container can't be deleted if first deletion attempt is canceled or timeout. containerd/containerd#3264
> - Fix a bug that containerd leaks file descriptor when using v2 containerd shims, e.g. containerd-shim-runc-v1. containerd/containerd#3273
> - Fix a bug that a container with lingering processes can't terminate when it shares pid namespace with another container. moby#38978
> - Fix a bug that containerd can't read shim logs after restart. containerd/containerd#3282
> - Fix a bug that shim_debug option is not honored for existing containerd shims after containerd restarts. containerd/containerd#3283
> - cri: Fix a bug that a container can't be stopped when the exit event is not successfully published by the containerd shim. containerd/containerd#3125, containerd/containerd#3177
> - cri: Fix a bug that exec process is not cleaned up if grpc context is canceled or timeout. contaienrd/cri#1159
> - Fix a selinux keyring labeling issue by updating runc to v1.0.0-rc.8 and selinux library to v1.2.2. opencontainers/selinux#50
> - Update ttrpc to f82148331ad2181edea8f3f649a1f7add6c3f9c2. containerd/containerd#3316
> - Update cri to 49ca74043390bc2eeea7a45a46005fbec58a3f88. containerd/containerd#3330

Signed-off-by: Sebastiaan van Stijn <>
(cherry picked from commit d5669ec)
Signed-off-by: Sebastiaan van Stijn <>
Signed-off-by: Jintao Zhang <>
(cherry picked from commit 1264a85)
Signed-off-by: Sebastiaan van Stijn <>
Signed-off-by: Jintao Zhang <>
(cherry picked from commit 9ef9a33)
Signed-off-by: Sebastiaan van Stijn <>
Signed-off-by: Jintao Zhang <>
(cherry picked from commit c4ec02b)
Signed-off-by: Sebastiaan van Stijn <>
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8

  - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container
  - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions
  - opencontainers/runc#2029 Update dependencies
  - opencontainers/runc#2034 Support for logging from children processes
  - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND
  - opencontainers/runc#2038 `r.destroy` can defer exec in `` method
  - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone
  - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func
  - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module
  - opencontainers/runc#2057 main: not reopen /dev/stderr
      - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr
      - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver)
      - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address"
  - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP
  - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB
  - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall
  - opencontainers/runc#2074 Update dependency libseccomp-golang
  - opencontainers/runc#2081 Bump CRIU to 3.12
  - opencontainers/runc#2089 doc: First process in container needs `Init: true`
  - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes
      - closes opencontainers/runc#2093 HostDevices() race with older udevd versions
  - opencontainers/runc#2098 man: fix man-pages
  - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager
  - opencontainers/runc#2107 Make get devices function public
  - opencontainers/runc#2113 libcontainer: initial support for cgroups v2
  - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package
      - removes as dependency
  - opencontainers/runc#2117 Remove libcontainer detection for systemd features
      - fixes opencontainers/runc#2117 Cache the systemd detection results
  - opencontainers/runc#2119 libcontainer: update masked paths of /proc
      - relates to moby#36368 Add /proc/keys to masked paths
      - relates to moby#38299 Masked /proc/asound
      - relates to moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892)
  - opencontainers/runc#2122 nsenter: minor fixes
  - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support
  - opencontainers/runc#2125 cgroup: support mount of cgroup2
  - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file
  - opencontainers/runc#2129 Only allow proc mount if it is procfs
      - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884)

Signed-off-by: Sebastiaan van Stijn <>
(cherry picked from commit bc9a7ec)
Signed-off-by: Sebastiaan van Stijn <>
@thaJeztah thaJeztah added this to the 18.09.10 milestone Sep 27, 2019
Copy link
Member Author

note that this one only updates the containerd and runc binaries the go vendoring is not updated (we can do so in a follow up if desired)

@thaJeztah thaJeztah changed the title [WIP][18.09 backport] update containerd 1.2.10, runc v1.0.0-rc8-92-g84373aaa (CVE-2019-16884) [18.09 backport] update containerd 1.2.10, runc v1.0.0-rc8-92-g84373aaa (CVE-2019-16884) Sep 27, 2019
Copy link

@andrewhsu andrewhsu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


Looks like only failure DockerSuite.TestAPIImagesSaveAndLoad is known: moby#39909

@andrewhsu andrewhsu merged commit 0585b88 into docker-archive:18.09 Sep 27, 2019
@thaJeztah thaJeztah deleted the 18.09_backport_bump_containerd_v1.2.10 branch September 27, 2019 23:18
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
3 participants