release: Compile runc w/ older libseccomp#6447
release: Compile runc w/ older libseccomp#6447cpuguy83 wants to merge 1 commit intocontainerd:mainfrom
Conversation
This makes our compiled version of runc work on rhel7 and other releases with older versions of libseccomp. Signed-off-by: Brian Goff <[email protected]>
|
Build succeeded.
|
AkihiroSuda
left a comment
AkihiroSuda
left a comment
There was a problem hiding this comment.
Can we just statically compile runc with the latest libseccomp?
mikebrow
left a comment
mikebrow
left a comment
There was a problem hiding this comment.
I get that this is in a container, just pointing out that downgrading seccomp will break systemd in ubuntu 20.
FYI: for local development only running make install-deps builds/installs:
https://github.com/containerd/containerd/blob/main/script/setup/install-seccomp#L25
Noting at least one reason runc moved up:
opencontainers/runc#2682
if we are going to continue distributing runc then we may have to consider building versions for specific distros, or at least document which ones this runc is for.
|
I would say I am ultimately not a fan of statically compiling runc due to libseccomp being a fairly important and potential security risk and we never update our release tarballs. |
|
I will say, this change unbreaks the current builds and should likely be backported and we can decide to target libseccomp 2.5 for >= 1.6 |
|
What do we use this runc for? we don't distribute it as part of our release. |
|
It's in the cri bundles. |
|
I'd still prefer to use the latest libseccomp so that we can have the latest syscall table, which is hardcoded in libseccomp |
|
Yes, we should stay with the latest seccomp like @AkihiroSuda said and the real fix is that we don't public runc, it shouldn't be our responsibility to do this or it is something we want to maintain as a project. |
|
Consensus seems to be we would prefer to use the latest seccomp, and also that it's best that people use distro builds to begin with. |
|
It still isn't clear to me what is the path forward here: Right now the instructions in containerd for installing are wrong then: |
No, at least until vNextNext (v1.7? v2.0?).
Yes. We will have to update the docs. |
|
Let's continue discussion about this in: |
6 participants
This makes our compiled version of runc work on rhel7 and other releases
with older versions of libseccomp.
Fixes #6209 #6091