This reverts commit f0f1bfca07.
runc 1.1.15 appears to have incresed chances for causing OOMs for
containers with small memory limits. Revert the change in containerd
to unblock CI while the upstream runc issue is resolved.
Dependency-issue: https://github.com/opencontainers/runc/issues/4427
Signed-off-by: Samuel Karp <samuelkarp@google.com>
diff: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15
Release notes:
- The -ENOSYS seccomp stub is now always generated for the native
architecture that runc is running on. This is needed to work around some
arguably specification-incompliant behaviour from Docker on architectures
such as ppc64le, where the allowed architecture list is set to null. This
ensures that we always generate at least one -ENOSYS stub for the native
architecture even with these weird configs. (#4391)
- On a system with older kernel, reading /proc/self/mountinfo may skip some
entries, as a consequence runc may not properly set mount propagation,
causing container mounts leak onto the host mount namespace. (#2404, #4425)
- In order to fix performance issues in the "lightweight" bindfd protection
against [CVE-2019-5736], the temporary ro bind-mount of /proc/self/exe
has been removed. runc now creates a binary copy in all cases. (#4392, #2532)
Signed-off-by: Samuel Karp <samuelkarp@google.com>
This PR adds the trap statement in the install runc script to clean
up the temporary files and ensure we are not leaving them.
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
- https://github.com/golang/go/issues?q=milestone%3AGo1.23.1+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.0...go1.23.1
These minor releases include 3 security fixes following the security policy:
- go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains
deeply nested literals can cause a panic due to stack exhaustion.
This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.
- encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested
structures can cause a panic due to stack exhaustion.
This is a follow-up to CVE-2022-30635.
Thanks to Md Sakib Anwar of The Ohio State University for reporting
this issue.
This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.
- go/build/constraint: stack exhaustion in Parse
Calling Parse on a "// +build" build tag line with deeply nested
expressions can cause a panic due to stack exhaustion.
This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14
Release Notes:
- Fix CVE-2024-45310, a low-severity attack that allowed
maliciously configured containers to create empty files and directories on
the host.
- Add support for Go 1.23.
- Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION.
- rootfs: consolidate mountpoint creation logic.
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
The OpenSSF scorecard is complaining about these two dependencies being
installed without a patch version specified;
Warn: goCommand not pinned by hash: script/setup/install-dev-tools:27
Warn: goCommand not pinned by hash: script/setup/install-dev-tools:28
While the error indicates it expects a hash, it looks like it's fine
with other modules in the same file, the difference being that those
specify a full version, including path version, e.g.;
919beb1cf7/script/setup/install-dev-tools (L26)
This patch updates `protoc-gen-go` and `protoc-gen-go-grpc` to the latest
patch release for the specified versions.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
runc v1.1.13 introduced an option to customize the version (as printed by the
`--version` flag) through a `VERSION` Make variable / environment variable
(see [1]).
This variable collided with the `VERSION` environment variable used by
containerd for the same purpose, which lead to `runc` binaries built
using the version of containerd;
runc --version
runc version 1.7.20
commit: v1.1.13-0-g58aa9203
...
This patch unsets the `VERSION` variable to bring prevent it from being
inherited and to bring back the previous behavior.
Before this patch:
docker build -t containerd-test -f contrib/Dockerfile.test .
docker run -it --rm --env VERSION=1.7.20 containerd-test sh -c 'script/setup/install-runc && /usr/local/sbin/runc --version'
# ....
HEAD is now at 58aa9203 VERSION: release 1.1.13
go build -trimpath "-buildmode=pie" -tags "seccomp" -ldflags "-X main.gitCommit=v1.1.13-0-g58aa9203 -X main.version=1.7.20 " -o runc .
install -D -m0755 runc /usr/local/sbin/runc
/go/src/github.com/containerd/containerd
runc version 1.7.20
commit: v1.1.13-0-g58aa9203
spec: 1.0.2-dev
go: go1.22.5
libseccomp: 2.5.4
With this patch:
docker build -t containerd-test -f contrib/Dockerfile.test .
docker run -it --rm --env VERSION=1.7.20 containerd-test sh -c 'script/setup/install-runc && /usr/local/sbin/runc --version'
# ....
HEAD is now at 58aa9203 VERSION: release 1.1.13
go build -trimpath "-buildmode=pie" -tags "seccomp" -ldflags "-X main.gitCommit=v1.1.13-0-g58aa9203 -X main.version=v1.1.13 " -o runc .
install -D -m0755 runc /usr/local/sbin/runc
/go/src/github.com/containerd/containerd
runc version v1.1.13
commit: v1.1.13-0-g58aa9203
spec: 1.0.2-dev
go: go1.22.5
libseccomp: 2.5.4
[1]: 6f4d975c40
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This patch release includes just a fix to skip userns tests on host that
don't support the feature. See:
https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.30.1
This is needed for CI to work fine when we update to runc 1.2 (not yet
released). It is also a blocker for the final runc release to make sure
it works in all known downstreams. This makes it work fine here :)
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
slow_chown is safe to add on all kernels, and when running in old
kernels (as some CI distros on purpose are), we want the expensive
fallback.
Vagrant setup and others use this script to config containerd. This
fixes userns tests with runc 1.2.0-rc.2 when running with old kernels.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
commit 149ca6880a updated the hcsshim
module to v0.12.4, but did not add a commit to also update the runhcs
binary version.
full diff: https://github.com/microsoft/hcsshim/compare/v0.12.3...v0.12.4
These versions are decoupled since 15b13fb3ea
to allow updating the binary version without updating the module, in cases
where the module doesn't require updates.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Now that we're on runc v1.1.13, we no longer need to pin the
go version fo runc to go1.21
This reverts commit fef78c1024.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13
Release notes:
* If building with Go 1.22.x, make sure to use 1.22.4 or a later version.
* Support go 1.22.4+.
* runc list: fix race with runc delete.
* Fix set nofile rlimit error.
* libct/cg/fs: fix setting rt_period vs rt_runtime.
* Fix a debug msg for user ns in nsexec.
* script/*: fix gpg usage wrt keyboxd.
* CI fixes and misc backports.
* Fix codespell warnings.
* Silence security false positives from golang/net.
* libcontainer: allow containers to make apps think fips is enabled/disabled for testing.
* allow overriding VERSION value in Makefile.
* Vagrantfile.fedora: bump Fedora to 39.
* ci/cirrus: rm centos stream 8.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes fix for a symlink race on remove.
Updates 1.21 to 1.21.11 for runc install which also includes the
symlink fix.
Signed-off-by: Derek McGowan <derek@mcg.dev>
Go 1.22.3 release includes bug fixes for the core net/http package.
Full release notes: https://go.dev/doc/devel/release#go1.22.minor
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
Pulls in kubernetes-sigs/cri-tools PR 1344 (`KEP-3857: Recursive Read-only (RRO) mounts`)
to test PR 9787
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages. See the Go 1.21.9 milestone for more details;
https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
These minor releases include 1 security fixes following the security policy:
- http2: close connections when receiving too many headers
Maintaining HPACK state requires that we parse and process all HEADERS
and CONTINUATION frames on a connection. When a request's headers exceed
MaxHeaderBytes, we don't allocate memory to store the excess headers but
we do parse them. This permits an attacker to cause an HTTP/2 endpoint
to read arbitrary amounts of header data, all associated with a request
which is going to be rejected. These headers can include Huffman-encoded
data which is significantly more expensive for the receiver to decode
than for an attacker to send.
Set a limit on the amount of excess header frames we will process before
closing a connection.
Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue.
This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.2
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.8...go1.21.9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
