[release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 #3082
Conversation
This includes an improved fix for CVE-2019-5736 to reduce the increased memory-consumption introduced by the original patch, RHEL 7.6 getting into a loop due to a kernel bug in those kernels, and improve compatibility with older kernels. changes included: - opencontainers/runc#1973 Vendor opencontainers/runtime-spec 29686dbc - opencontainers/runc#1978 Remove detection for scope properties, which have always been broken - opencontainers/runc#1963 Vendor in go-criu and use it for CRIU's RPC definition - opencontainers/runc#1995 exec: expose --preserve-fds - opencontainers/runc#2000 fix preserve-fds flag may cause runc hang - opencontainers/runc#1968 Create bind mount mountpoints during restore - opencontainers/runc#1984 nsenter: cloned_binary: "memfd" cleanups Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit b8d40b3) Signed-off-by: Sebastiaan van Stijn <[email protected]>
| # than a commit ID so it's much more obvious what version of the spec we are | ||
| # using. | ||
| github.com/opencontainers/runtime-spec 5684b8af48c1ac3b1451fa499724e30e3c20a294 | ||
| github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 |
There was a problem hiding this comment.
do we want the vendored version to match this one?
Codecov Report
@@ Coverage Diff @@
## release/1.2 #3082 +/- ##
===============================================
+ Coverage 43.66% 44.27% +0.61%
===============================================
Files 101 101
Lines 10754 10809 +55
===============================================
+ Hits 4696 4786 +90
+ Misses 5329 5286 -43
- Partials 729 737 +8
Continue to review full report at Codecov.
|
|
You probably don't want to backport this yet -- I just realised the bind-mount approach isn't fool-proof. I'm working on a follow-up patch that should be ready soon. |
|
So based on #3082 (comment), I guess this won't be part of 1.2.5? |
|
You can drop the WIP -- I've closed opencontainers/runc#2006 after deciding that running CAP_SYS_ADMIN (in a non-userns container with AppArmor disabled) was always unsafe and it makes no sense to block a working fix based on that. |
|
LGTM |
|
Based on @cyphar's comment, I'm removing the |
backport of #3081
This includes an improved fix for CVE-2019-5736 to reduce the
increased memory-consumption introduced by the original patch,
RHEL 7.6 getting into a loop due to a kernel bug in those kernels,
and improve compatibility with older kernels.
changes included:
Signed-off-by: Sebastiaan van Stijn [email protected]
(cherry picked from commit b8d40b3)
Signed-off-by: Sebastiaan van Stijn [email protected]