Update the default seccomp to block socket calls to AF_VSOCK #7510
Conversation
|
Hi @zhuchenwang. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
samuelkarp
added
status/needs-discussion
Signed-off-by: Zhuchen Wang <[email protected]>
kzys
left a comment
kzys
left a comment
There was a problem hiding this comment.
I'm fine blocking the socket call with AF_VSOCK. Most people wouldn't need that.
I'm not too sure about the value of backporting since this is technically a breaking change.
I'm hesitant about this too, especially with 1.6 moving to a long term stable status. |
|
/ok-to-test |
|
I think it's okay to not backport this change. The KubeVirt feature will be behind a feature gate. For vendors who want to use the feature, they can backport this change to their own containerd build. |
dmcgowan
removed
the
status/needs-discussion
|
Results of discussion in community meeting: this one is OK for 1.7 but too risky for 1.6. If needed for 1.6 it can be manually backported by users or we can add a hardcoded workaround for Kubevirt via runtime handlers. |
I wish Docker had done the same, instead they backported this into a patch release breaking customera systems without notice. Even worst, the only way we found to enable these was to do an emergency deployment of a seccomp profile. |
7 participants
Signed-off-by: Zhuchen Wang [email protected]
Fix #7442