[release/1.1 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30#3083
Conversation
This includes an improved fix for CVE-2019-5736 to reduce the increased memory-consumption introduced by the original patch, RHEL 7.6 getting into a loop due to a kernel bug in those kernels, and improve compatibility with older kernels. changes included: - opencontainers/runc#1973 Vendor opencontainers/runtime-spec 29686dbc - opencontainers/runc#1978 Remove detection for scope properties, which have always been broken - opencontainers/runc#1963 Vendor in go-criu and use it for CRIU's RPC definition - opencontainers/runc#1995 exec: expose --preserve-fds - opencontainers/runc#2000 fix preserve-fds flag may cause runc hang - opencontainers/runc#1968 Create bind mount mountpoints during restore - opencontainers/runc#1984 nsenter: cloned_binary: "memfd" cleanups Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit b8d40b3) Signed-off-by: Sebastiaan van Stijn <[email protected]>
| # than a commit ID so it's much more obvious what version of the spec we are | ||
| # using. | ||
| github.com/opencontainers/runtime-spec 5684b8af48c1ac3b1451fa499724e30e3c20a294 | ||
| github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 |
There was a problem hiding this comment.
do we want the vendored version to match this one?
There was a problem hiding this comment.
I think it makes sense to use the runtime-spec that matches runc; IMO
There was a problem hiding this comment.
ok, I'll update this PR, and update that as well, thanks!
|
how tightly coupled other dependencies are to the version of runc; going through history when the runtime-spec was updated (to double-check if local changes are needed for specific bumps), I arrived at #2500 as the first bump since the 1.1 release; that one also updates |
Codecov Report
@@ Coverage Diff @@
## release/1.1 #3083 +/- ##
============================================
Coverage 49.07% 49.07%
============================================
Files 85 85
Lines 7598 7598
============================================
Hits 3729 3729
Misses 3194 3194
Partials 675 675
Continue to review full report at Codecov.
|
@crosbymichael could you help with this? I was discussing with @estesp but we both weren't sure if those should be updated here as well |
|
match them |
|
You probably don't want to backport this yet -- I just realised the bind-mount approach isn't fool-proof. I'm working on a follow-up patch that should be ready soon. |
|
Thanks, I just saw your comment; let me mark this one WIP |
thaJeztah
changed the title
|
You can drop the WIP -- I've closed opencontainers/runc#2006 after deciding that running CAP_SYS_ADMIN (in a non-userns container with AppArmor disabled) was always unsafe and it makes no sense to block a working fix based on that. |
|
Hey @thaJeztah; sounds like we can go ahead with this, but I guess at this point you should do the vendor update per @crosbymichael's comment about keeping them in sync. Thanks! |
|
Ahm yes, didn't finish that yet; let me make some time to finish the vendoring 🤗 |
Signed-off-by: Michael Crosby <[email protected]> (cherry picked from commit 5a0b040) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Madhan Raj Mookkandy <[email protected]> (cherry picked from commit 744d93e) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: John Howard <[email protected]> (cherry picked from commit 98766e8) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
changed the title
|
LGTM |
6 participants
backport of #3081
This includes an improved fix for CVE-2019-5736 to reduce the
increased memory-consumption introduced by the original patch,
RHEL 7.6 getting into a loop due to a kernel bug in those kernels,
and improve compatibility with older kernels.
changes included:
Signed-off-by: Sebastiaan van Stijn [email protected]
(cherry picked from commit b8d40b3)
Signed-off-by: Sebastiaan van Stijn [email protected]