Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 #3082

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 11, 2019
Merged

[release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 #3082

merged 1 commit into from
Mar 11, 2019

Conversation

thaJeztah
Copy link
Member

backport of #3081

This includes an improved fix for CVE-2019-5736 to reduce the
increased memory-consumption introduced by the original patch,
RHEL 7.6 getting into a loop due to a kernel bug in those kernels,
and improve compatibility with older kernels.

changes included:

Signed-off-by: Sebastiaan van Stijn [email protected]
(cherry picked from commit b8d40b3)
Signed-off-by: Sebastiaan van Stijn [email protected]

@thaJeztah
update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30
b7e7f11 
This includes an improved fix for CVE-2019-5736 to reduce the
increased memory-consumption introduced by the original patch,
RHEL 7.6 getting into a loop due to a kernel bug in those kernels,
and improve compatibility with older kernels.

changes included:

- opencontainers/runc#1973 Vendor opencontainers/runtime-spec 29686dbc
- opencontainers/runc#1978 Remove detection for scope properties, which have always been broken
- opencontainers/runc#1963 Vendor in go-criu and use it for CRIU's RPC definition
- opencontainers/runc#1995 exec: expose --preserve-fds
- opencontainers/runc#2000 fix preserve-fds flag may cause runc hang
- opencontainers/runc#1968 Create bind mount mountpoints during restore
- opencontainers/runc#1984 nsenter: cloned_binary: "memfd" cleanups

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit b8d40b3)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
thaJeztah commented Mar 7, 2019
View reviewed changes
vendor/github.com/opencontainers/runc/vendor.conf
# than a commit ID so it's much more obvious what version of the spec we are
# using.
github.com/opencontainers/runtime-spec 5684b8af48c1ac3b1451fa499724e30e3c20a294
github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want the vendored version to match this one?

@codecov-io
Copy link

Codecov Report

Merging #3082 into release/1.2 will increase coverage by 0.61%.
The diff coverage is n/a.

Impacted file tree graph

@@               Coverage Diff               @@
##           release/1.2    #3082      +/-   ##
===============================================
+ Coverage        43.66%   44.27%   +0.61%     
===============================================
  Files              101      101              
  Lines            10754    10809      +55     
===============================================
+ Hits              4696     4786      +90     
+ Misses            5329     5286      -43     
- Partials           729      737       +8
Flag Coverage Δ
#linux 47.38% <ø> (+0.03%) ⬆️
#windows 40.75% <ø> (ø) ⬆️
Impacted Files Coverage Δ
metadata/gc.go 74.76% <0%> (+13.24%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f3ab47d...b7e7f11. Read the comment docs.

@cyphar
Copy link
Contributor

cyphar commented Mar 8, 2019

You probably don't want to backport this yet -- I just realised the bind-mount approach isn't fool-proof. I'm working on a follow-up patch that should be ready soon.

@thaJeztah thaJeztah changed the title [release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 [WIP][release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 Mar 8, 2019
@Random-Liu
Copy link
Member

So based on #3082 (comment), I guess this won't be part of 1.2.5?

@cyphar
Copy link
Contributor

cyphar commented Mar 10, 2019

You can drop the WIP -- I've closed opencontainers/runc#2006 after deciding that running CAP_SYS_ADMIN (in a non-userns container with AppArmor disabled) was always unsafe and it makes no sense to block a working fix based on that.

@fuweid fuweid mentioned this pull request Mar 11, 2019
Merged
@crosbymichael
Copy link
Member

LGTM

@estesp estesp changed the title [WIP][release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 [release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 Mar 11, 2019
@estesp
Copy link
Member

estesp commented Mar 11, 2019

Based on @cyphar's comment, I'm removing the [WIP] from the title as sounds like there will be no further changes, and we can include the updated runc in our 1.2.5 release // cc: @Random-Liu

estesp
estesp approved these changes Mar 11, 2019
View reviewed changes
Copy link
Member

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@estesp estesp merged commit 96a0d28 into containerd:release/1.2 Mar 11, 2019
@thaJeztah thaJeztah deleted the 1.2_backport_bump_runc branch March 11, 2019 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@estesp estesp estesp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@thaJeztah @codecov-io @cyphar @Random-Liu @crosbymichael @estesp