Skip to content
This repository has been archived by the owner on Oct 13, 2023. It is now read-only.

[18.09 backport] update containerd 1.2.10, runc v1.0.0-rc8-92-g84373aaa (CVE-2019-16884) #386

Conversation

thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Sep 27, 2019

backports of:

closes #283 [18.09 backport] Update containerd to v1.2.8
closes #367 [18.09 backport] Update containerd to v1.2.9

part of ENGCORE-1064
fixes ENGCORE-1066

Update containerd to v1.2.10

The tenth patch release for containerd 1.2 includes only one main bug fix in the
CRI plugin, but includes updated vendors/build runtimes that fix 2 reported CVEs in
runc and the Golang 1.12 runtime respectively.

Notable Updates

Update runc to v1.0.0-rc8-92-g84373aaa (CVE-2019-16884)

full diff: opencontainers/runc@v1.0.0-rc8...3e425f8

thaJeztah and others added 5 commits September 27, 2019 16:31
From the release notes: https://github.com/containerd/containerd/releases/tag/v1.2.7

> Welcome to the v1.2.7 release of containerd!
>
> The seventh patch release for containerd 1.2 introduces OCI image
> descriptor annotation support and contains fixes for containerd shim logs,
> container stop/deletion, cri plugin and selinux.
>
> It also contains several important bug fixes for goroutine and file
> descriptor leakage in containerd and containerd shims.
>
> Notable Updates
>
> - Support annotations in the OCI image descriptor, and filtering image by annotations. containerd/containerd#3254
> - Support context timeout in ttrpc which can help avoid containerd hangs when a shim is unresponsive. containerd/ttrpc#31
> - Fix a bug that containerd shim leaks goroutine and file descriptor after containerd restarts. containerd/ttrpc#37
> - Fix a bug that a container can't be deleted if first deletion attempt is canceled or timeout. containerd/containerd#3264
> - Fix a bug that containerd leaks file descriptor when using v2 containerd shims, e.g. containerd-shim-runc-v1. containerd/containerd#3273
> - Fix a bug that a container with lingering processes can't terminate when it shares pid namespace with another container. moby#38978
> - Fix a bug that containerd can't read shim logs after restart. containerd/containerd#3282
> - Fix a bug that shim_debug option is not honored for existing containerd shims after containerd restarts. containerd/containerd#3283
> - cri: Fix a bug that a container can't be stopped when the exit event is not successfully published by the containerd shim. containerd/containerd#3125, containerd/containerd#3177
> - cri: Fix a bug that exec process is not cleaned up if grpc context is canceled or timeout. contaienrd/cri#1159
> - Fix a selinux keyring labeling issue by updating runc to v1.0.0-rc.8 and selinux library to v1.2.2. opencontainers/selinux#50
> - Update ttrpc to f82148331ad2181edea8f3f649a1f7add6c3f9c2. containerd/containerd#3316
> - Update cri to 49ca74043390bc2eeea7a45a46005fbec58a3f88. containerd/containerd#3330

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d5669ec)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit 1264a85)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit 9ef9a33)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit c4ec02b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8

  - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container
  - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions
  - opencontainers/runc#2029 Update dependencies
  - opencontainers/runc#2034 Support for logging from children processes
  - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND
  - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method
  - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone
  - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func
  - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module
  - opencontainers/runc#2057 main: not reopen /dev/stderr
      - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr
      - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver)
      - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address"
  - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP
  - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB
  - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall
  - opencontainers/runc#2074 Update dependency libseccomp-golang
  - opencontainers/runc#2081 Bump CRIU to 3.12
  - opencontainers/runc#2089 doc: First process in container needs `Init: true`
  - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes
      - closes opencontainers/runc#2093 HostDevices() race with older udevd versions
  - opencontainers/runc#2098 man: fix man-pages
  - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager
  - opencontainers/runc#2107 Make get devices function public
  - opencontainers/runc#2113 libcontainer: initial support for cgroups v2
  - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package
      - removes github.com/coreos/pkg as dependency
  - opencontainers/runc#2117 Remove libcontainer detection for systemd features
      - fixes opencontainers/runc#2117 Cache the systemd detection results
  - opencontainers/runc#2119 libcontainer: update masked paths of /proc
      - relates to moby#36368 Add /proc/keys to masked paths
      - relates to moby#38299 Masked /proc/asound
      - relates to moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892)
  - opencontainers/runc#2122 nsenter: minor fixes
  - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support
  - opencontainers/runc#2125 cgroup: support mount of cgroup2
  - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file
  - opencontainers/runc#2129 Only allow proc mount if it is procfs
      - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bc9a7ec)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 18.09.10 milestone Sep 27, 2019
@thaJeztah
Copy link
Member Author

note that this one only updates the containerd and runc binaries the go vendoring is not updated (we can do so in a follow up if desired)

@thaJeztah thaJeztah changed the title [WIP][18.09 backport] update containerd 1.2.10, runc v1.0.0-rc8-92-g84373aaa (CVE-2019-16884) [18.09 backport] update containerd 1.2.10, runc v1.0.0-rc8-92-g84373aaa (CVE-2019-16884) Sep 27, 2019
Copy link

@andrewhsu andrewhsu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Looks like only failure DockerSuite.TestAPIImagesSaveAndLoad is known: moby#39909

@andrewhsu andrewhsu merged commit 0585b88 into docker-archive:18.09 Sep 27, 2019
@thaJeztah thaJeztah deleted the 18.09_backport_bump_containerd_v1.2.10 branch September 27, 2019 23:18
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
3 participants