-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[19.03] update containerd 1.12.12, runc v1.0.0-rc10 #40453
Conversation
@tonistiigi @tiborvass @AkihiroSuda @cpuguy83 @arkodg PTAL please double-check the updated vendoring of runc and selinux |
231e969
to
81836fa
Compare
rebased |
full diff: containerd/containerd@v1.2.11...v1.2.12 Welcome to the v1.2.12 release of containerd! The twelfth patch release for containerd 1.2 includes an updated runc with a fix for CVE-2019-19921, an updated version of the opencontainers/selinux dependency, which includes a fix for CVE-2019-16884, an updated version of the gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update. Notable Updates - Update the runc vendor to v1.0.0-rc10 which includes a mitigation for CVE-2019-19921. - Update the opencontainers/selinux which includes a mitigation for CVE-2019-16884. - Update Golang runtime to 1.12.16, mitigating the CVE-2020-0601 certificate verification bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures. - Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14, Go 1.12.15) and and the net/http package (Go 1.12.15) - A fix to prevent SIGSEGV when starting containerd-shim containerd/containerd#3960 - Fixes to exec containerd/containerd#3755 - Prevent docker exec hanging if an earlier docker exec left a zombie process - Prevent High system load/CPU utilization with liveness and readiness probes - Prevent Docker healthcheck causing high CPU utilization CRI fixes: - Update the gopkg.in/yaml.v2 vendor to v2.2.8 with a mitigation for CVE-2019-11253 API - Fix API filters to properly handle and return parse errors containerd/containerd#3950 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Notable changes: * Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207 * Fix exec FIFO race: opencontainers/runc#2185 * Basic support for cgroup v2. Almost feature-complete, but still missing support for systemd mode in rootless. See also opencontainers/runc#2209 for the known issues. Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit cd43c1d) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Notable changes: * Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207 * Fix exec FIFO race: opencontainers/runc#2185 * Basic support for cgroup v2. Almost feature-complete, but still missing support for systemd mode in rootless. See also opencontainers/runc#2209 for the known issues. Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18 (See containerd/cri#1383 (comment)) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 6d68080) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
81836fa
to
d3dab1f
Compare
@@ -161,6 +161,6 @@ github.com/morikuni/aec 39771216ff4c63d11f5e604076f9 | |||
# metrics | |||
github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18 | |||
|
|||
github.com/opencontainers/selinux 3a1f366feb7aecbf7a0e71ac4cea88b31597de9e # v1.2.2 | |||
github.com/opencontainers/selinux 5215b1806f52b1fcc2070a8826c542c9d33cd3cf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thaJeztah where does this change come from?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comes from #40404
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, so it's more like when we vendored runc v1.0.0-rc9 we forgot to bump selinux, because there is no difference between v1.0.0-rc9 and v1.0.0-rc10 wrt selinux.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Flaky test; kicked CI again;
|
Includes back ports of:
[19.03] Update containerd binary to v1.2.12
full diff: containerd/containerd@v1.2.11...v1.2.12
Welcome to the v1.2.12 release of containerd!
The twelfth patch release for containerd 1.2 includes an updated runc with
a fix for CVE-2019-19921, an updated version of the opencontainers/selinux
dependency, which includes a fix for CVE-2019-16884, an updated version of the
gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update.
Notable Updates
bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures.
Go 1.12.15) and and the net/http package (Go 1.12.15)
CRI fixes:
API
update runc binary to v1.0.0-rc10 (CVE-2019-19921)
Notable changes:
See also cgroup2: TODO list opencontainers/runc#2209 for the known issues.
Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10
update runc library to v1.0.0-rc10 (CVE-2019-19921)
Notable changes:
See also cgroup2: TODO list opencontainers/runc#2209 for the known issues.
Full changes: opencontainers/runc@84373aa...v1.0.0-rc10
Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18
(See containerd/cri#1383 (comment))