[release/1.2] Revert "bump libseccomp-golang v0.9.1"#3538
[release/1.2] Revert "bump libseccomp-golang v0.9.1"#3538dmcgowan merged 1 commit intocontainerd:release/1.2from
Conversation
This reverts commit d8f4da4. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
changed the title
|
ping @Random-Liu @justincormack PTAL |
Codecov Report
@@ Coverage Diff @@
## release/1.2 #3538 +/- ##
============================================
Coverage 43.66% 43.66%
============================================
Files 101 101
Lines 10816 10816
============================================
Hits 4723 4723
Misses 5357 5357
Partials 736 736
Continue to review full report at Codecov.
|
1 similar comment
Codecov Report
@@ Coverage Diff @@
## release/1.2 #3538 +/- ##
============================================
Coverage 43.66% 43.66%
============================================
Files 101 101
Lines 10816 10816
============================================
Hits 4723 4723
Misses 5357 5357
Partials 736 736
Continue to review full report at Codecov.
|
|
From the runc libseccomp bump; opencontainers/runc#2074 (comment)
The fix is in opencontainers/runc@03a5a74#diff-c1eca12d097b318b217f891966083c8e). The fix in libseccomp is in commit seccomp/libseccomp-golang@06e7a29 Full diff of libseccomp-golang changes in that runc PR: seccomp/libseccomp-golang@32f571b...84e90a9 |
|
@thaJeztah So runc would still need libseccomp 2.3.0+? That is fine for us, just make it clear, so that others may want to know about it. :) |
Current runc master yes, so it could be that at some point we have to raise the minimum requirement, but at least this should bring some time. I think we should have a look if that can be fixed; haven't looked into it in-depth, but if the offending commit is indeed seccomp/libseccomp-golang@9814e55, then (from the description), it looks like it's only an optimisation that causes the dependency on the newer version; perhaps someone is able to provide a fix upstream to make sure older versions still work? The code seems to suggest that the #if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 3
unsigned int get_major_version()
{
return seccomp_version()->major;
}
unsigned int get_minor_version()
{
return seccomp_version()->minor;
}
unsigned int get_micro_version()
{
return seccomp_version()->micro;
}
#else |
|
LGTM |
1 similar comment
|
LGTM |
|
@thaJeztah I guess that might be decided at compile time? So maybe we just need to make sure libseccomp version at built time matches runtime? It seems that in our CI environment, libseccomp2 was 2.3.1 at compile time, but was 2.2.x at runtime before updating the image kubernetes/test-infra#13639 |
🤦♂ yes, of course, I wasn't thinking; that makes sense |
6 participants
This reverts commit d8f4da4 (#3376), which was a backport of #3371
Per the discussion on #3371 (comment), this bump caused the minimum supported seccomp version to be changed from 2.3.0, which caused older distros to no longer be supported.
Note that the fix for CVE-2017-18367 was already in the version we vendored before the bump (and the actual issue is in RunC; RunC 1.0.0-rc8 has the fix in place already.