Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v0.11 backport] Dockerfile: RUNC_VERSION=v1.1.5 #3763

Merged
merged 1 commit into from
Apr 18, 2023
Merged

[v0.11 backport] Dockerfile: RUNC_VERSION=v1.1.5 #3763

merged 1 commit into from
Apr 18, 2023

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Mar 30, 2023
edited
Loading

thaJeztah
thaJeztah approved these changes Mar 30, 2023
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM do we want this in the 0.10 branch as well, or not worth the effort?

thaJeztah
thaJeztah reviewed Apr 1, 2023
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@tonistiigi
Copy link
Member

tonistiigi commented Apr 7, 2023
edited
Loading

@thaJeztah Did you find out more about the error with container not starting in new runc because of mount validation(and possible fd switch)? Is this safe to pick?

@thaJeztah
Copy link
Member

@tonistiigi you mean the rootless errors on the other PR? No.

Must admit that I didn't dig into it, and was slightly hoping it would ring a bell for @AkihiroSuda

@tonistiigi
Copy link
Member

@thaJeztah This one(copy from your message):

runc run failed: unable to start container process: error during container init: error mounting "/var/lib/docker/buildkit/executor/resolv.conf" to rootfs at "/etc/resolv.conf": possibly malicious path detected -- refusing to operate on /var/lib/docker/buildkit/executor/0lohmsr4ts1xojesl2zn2lboj/rootfs/etc/resolv.conf (deleted)

That's an error from runc; https://github.com/opencontainers/runc/blame/1b4cf1d2aeb425d20e1de48af8e8a916ca4185e4/libcontainer/utils/utils.go#L128

And could be if there's some weird mounts / symlinks involved; https://github.com/opencontainers/runc/blame/1b4cf1d2aeb425d20e1de48af8e8a916ca4185e4/libcontainer/utils/utils.go#L123-L129

// Double-check the path is the one we expected.
procfd := "/proc/self/fd/" + strconv.Itoa(int(fh.Fd()))
if realpath, err := os.Readlink(procfd); err != nil {
	return fmt.Errorf("procfd verification failed: %w", err)
} else if realpath != path {
	return fmt.Errorf("possibly malicious path detected -- refusing to operate on %s", realpath)
}

Which was opencontainers/runc@0ca91f4, and a mitigation for CVE-2021-30465

@thaJeztah
Copy link
Member

Oh! Nope, didn't find yet; but a colleague mentioned that they encountered that error occasionally in CI on that repo (we should probably look if we can track those failures as well)

@jedevc jedevc mentioned this pull request Apr 10, 2023
Closed
@AkihiroSuda
Dockerfile: RUNC_VERSION=v1.1.5
ae5a76a 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 03b48a0)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Copy link
Member Author

Rebased

thaJeztah
thaJeztah approved these changes Apr 14, 2023
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Dockerfile
@@ -1,6 +1,6 @@
# syntax=docker/dockerfile-upstream:master

ARG RUNC_VERSION=v1.1.4
ARG RUNC_VERSION=v1.1.5
ARG CONTAINERD_VERSION=v1.6.18
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per the other thread; do we need containerd v1.6.20 as well, or best to do separately? (maybe separately is okay to not mix backports)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be done separately

@tonistiigi tonistiigi merged commit 11a0070 into moby:v0.11 Apr 18, 2023
@thaJeztah thaJeztah mentioned this pull request May 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@crazy-max crazy-max crazy-max approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@AkihiroSuda @tonistiigi @thaJeztah @crazy-max