update runc binary to v1.2.4 #11230
update runc binary to v1.2.4 #11230
Conversation
This is the fourth patch release of the 1.2.z release branch of runc. It includes a fix for a regression introduced in 1.2.0 related to the default device list. - Re-add tun/tap devices to built-in allowed devices lists. In runc 1.2.0 we removed these devices from the default allow-list (which were added seemingly by accident early in Docker's history) as a precaution in order to try to reduce the attack surface of device inodes available to most containers. At the time we thought that the vast majority of users using tun/tap would already be specifying what devices they need (such as by using --device with Docker/Podman) as opposed to doing the mknod manually, and thus there would've been no user-visible change. Unfortunately, it seems that this regressed a noticeable number of users (and not all higher-level tools provide easy ways to specify devices to allow) and so this change needed to be reverted. Users that do not need these devices are recommended to explicitly disable them by adding deny rules in their container configuration. diff: opencontainers/runc@v1.2.3...v1.2.4 Signed-off-by: Akhil Mohan <[email protected]>
akhilerm
force-pushed
the
update-runc-1.2.4
branch
from
3a1b16e to
54ed595
Compare
thaJeztah
added
cherry-pick/1.6.x
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
/cherry-pick release/2.0 |
|
@akhilerm: new pull request created: #11237 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@akhilerm: new pull request created: #11238 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@akhilerm: new pull request created: #11239 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This is the fourth patch release of the 1.2.z release branch of runc. It includes a fix for a regression introduced in 1.2.0 related to the default device list.
Re-add tun/tap devices to built-in allowed devices lists.
In runc 1.2.0 we removed these devices from the default allow-list (which were added seemingly by accident early in Docker's history) as a precaution in order to try to reduce the attack surface of device inodes available to most containers At the time we thought that the vast majority of users using tun/tap would already be specifying what devices they need (such as by using --device with Docker/Podman) as opposed to doing the mknod manually, and thus there would've been no user-visible change.
Unfortunately, it seems that this regressed a noticeable number of
users (and not all higher-level tools provide easy ways to specify devices to allow) and so this change needed to be reverted. Users that do not need these devices are recommended to explicitly disable them by adding deny rules in their container configuration.
diff: opencontainers/runc@v1.2.3...v1.2.4