This repository has been archived by the owner on Oct 13, 2023. It is now read-only.
[18.09 backport] update containerd 1.2.10, runc v1.0.0-rc8-92-g84373aaa (CVE-2019-16884) #386
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From the release notes: https://github.com/containerd/containerd/releases/tag/v1.2.7 > Welcome to the v1.2.7 release of containerd! > > The seventh patch release for containerd 1.2 introduces OCI image > descriptor annotation support and contains fixes for containerd shim logs, > container stop/deletion, cri plugin and selinux. > > It also contains several important bug fixes for goroutine and file > descriptor leakage in containerd and containerd shims. > > Notable Updates > > - Support annotations in the OCI image descriptor, and filtering image by annotations. containerd/containerd#3254 > - Support context timeout in ttrpc which can help avoid containerd hangs when a shim is unresponsive. containerd/ttrpc#31 > - Fix a bug that containerd shim leaks goroutine and file descriptor after containerd restarts. containerd/ttrpc#37 > - Fix a bug that a container can't be deleted if first deletion attempt is canceled or timeout. containerd/containerd#3264 > - Fix a bug that containerd leaks file descriptor when using v2 containerd shims, e.g. containerd-shim-runc-v1. containerd/containerd#3273 > - Fix a bug that a container with lingering processes can't terminate when it shares pid namespace with another container. moby#38978 > - Fix a bug that containerd can't read shim logs after restart. containerd/containerd#3282 > - Fix a bug that shim_debug option is not honored for existing containerd shims after containerd restarts. containerd/containerd#3283 > - cri: Fix a bug that a container can't be stopped when the exit event is not successfully published by the containerd shim. containerd/containerd#3125, containerd/containerd#3177 > - cri: Fix a bug that exec process is not cleaned up if grpc context is canceled or timeout. contaienrd/cri#1159 > - Fix a selinux keyring labeling issue by updating runc to v1.0.0-rc.8 and selinux library to v1.2.2. opencontainers/selinux#50 > - Update ttrpc to f82148331ad2181edea8f3f649a1f7add6c3f9c2. containerd/containerd#3316 > - Update cri to 49ca74043390bc2eeea7a45a46005fbec58a3f88. containerd/containerd#3330 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit d5669ec) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> (cherry picked from commit 1264a85) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> (cherry picked from commit 9ef9a33) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> (cherry picked from commit c4ec02b) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby#36368 Add /proc/keys to masked paths - relates to moby#38299 Masked /proc/asound - relates to moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit bc9a7ec) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
note that this one only updates the containerd and runc binaries the go vendoring is not updated (we can do so in a follow up if desired) |
thaJeztah
changed the title
andrewhsu
approved these changes
Sep 27, 2019
There was a problem hiding this comment.
LGTM
Looks like only failure DockerSuite.TestAPIImagesSaveAndLoad is known: moby#39909
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
backports of:
closes #283 [18.09 backport] Update containerd to v1.2.8
closes #367 [18.09 backport] Update containerd to v1.2.9
part of ENGCORE-1064
fixes ENGCORE-1066
Update containerd to v1.2.10
Update runc to v1.0.0-rc8-92-g84373aaa (CVE-2019-16884)
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8
r.destroycan defer exec inrunner.runmethod. opencontainers/runc#2038r.destroycan defer exec inrunner.runmethodInit: trueopencontainers/runc#2089 doc: First process in container needsInit: true