[19.03] update containerd 1.12.12, runc v1.0.0-rc10 #40453
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@tonistiigi @tiborvass @AkihiroSuda @cpuguy83 @arkodg PTAL please double-check the updated vendoring of runc and selinux |
thaJeztah
force-pushed
the
19.03_bump_containerd
branch
from
231e969
to
81836fa
Compare
|
rebased |
full diff: containerd/containerd@v1.2.11...v1.2.12 Welcome to the v1.2.12 release of containerd! The twelfth patch release for containerd 1.2 includes an updated runc with a fix for CVE-2019-19921, an updated version of the opencontainers/selinux dependency, which includes a fix for CVE-2019-16884, an updated version of the gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update. Notable Updates - Update the runc vendor to v1.0.0-rc10 which includes a mitigation for CVE-2019-19921. - Update the opencontainers/selinux which includes a mitigation for CVE-2019-16884. - Update Golang runtime to 1.12.16, mitigating the CVE-2020-0601 certificate verification bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures. - Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14, Go 1.12.15) and and the net/http package (Go 1.12.15) - A fix to prevent SIGSEGV when starting containerd-shim containerd/containerd#3960 - Fixes to exec containerd/containerd#3755 - Prevent docker exec hanging if an earlier docker exec left a zombie process - Prevent High system load/CPU utilization with liveness and readiness probes - Prevent Docker healthcheck causing high CPU utilization CRI fixes: - Update the gopkg.in/yaml.v2 vendor to v2.2.8 with a mitigation for CVE-2019-11253 API - Fix API filters to properly handle and return parse errors containerd/containerd#3950 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Notable changes: * Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207 * Fix exec FIFO race: opencontainers/runc#2185 * Basic support for cgroup v2. Almost feature-complete, but still missing support for systemd mode in rootless. See also opencontainers/runc#2209 for the known issues. Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit cd43c1d) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Notable changes: * Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207 * Fix exec FIFO race: opencontainers/runc#2185 * Basic support for cgroup v2. Almost feature-complete, but still missing support for systemd mode in rootless. See also opencontainers/runc#2209 for the known issues. Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18 (See containerd/cri#1383 (comment)) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 6d68080) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
19.03_bump_containerd
branch
from
81836fa
to
d3dab1f
Compare
tiborvass
reviewed
Feb 4, 2020
| @@ -161,6 +161,6 @@ github.com/morikuni/aec 39771216ff4c63d11f5e604076f9 | |||
| # metrics | |||
| github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18 | |||
|
|
|||
| github.com/opencontainers/selinux 3a1f366feb7aecbf7a0e71ac4cea88b31597de9e # v1.2.2 | |||
| github.com/opencontainers/selinux 5215b1806f52b1fcc2070a8826c542c9d33cd3cf | |||
There was a problem hiding this comment.
@thaJeztah where does this change come from?
There was a problem hiding this comment.
Ok, so it's more like when we vendored runc v1.0.0-rc9 we forgot to bump selinux, because there is no difference between v1.0.0-rc9 and v1.0.0-rc10 wrt selinux.
tiborvass
approved these changes
Feb 4, 2020
|
Flaky test; kicked CI again; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Includes back ports of:
[19.03] Update containerd binary to v1.2.12
full diff: containerd/containerd@v1.2.11...v1.2.12
Welcome to the v1.2.12 release of containerd!
The twelfth patch release for containerd 1.2 includes an updated runc with
a fix for CVE-2019-19921, an updated version of the opencontainers/selinux
dependency, which includes a fix for CVE-2019-16884, an updated version of the
gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update.
Notable Updates
bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures.
Go 1.12.15) and and the net/http package (Go 1.12.15)
CRI fixes:
API
update runc binary to v1.0.0-rc10 (CVE-2019-19921)
Notable changes:
See also cgroup2: TODO list opencontainers/runc#2209 for the known issues.
Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10
update runc library to v1.0.0-rc10 (CVE-2019-19921)
Notable changes:
See also cgroup2: TODO list opencontainers/runc#2209 for the known issues.
Full changes: opencontainers/runc@84373aa...v1.0.0-rc10
Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18
(See containerd/cri#1383 (comment))