Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker: default to hyper-v isolation on Windows #23452

Merged
merged 8 commits into from
Jul 1, 2024
Merged

docker: default to hyper-v isolation on Windows #23452

merged 8 commits into from
Jul 1, 2024

Conversation

pkazmierczak
Copy link
Contributor

We should default to hyper-v isolation mode on Windows, as suggested in discussions between @tgross and @angrycub.

@pkazmierczak pkazmierczak added backport/ent/1.7.x+ent Changes are backported to 1.7.x+ent backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/1.8.x backport to 1.8.x release line labels Jun 27, 2024
@pkazmierczak pkazmierczak added this to the 1.8.2 milestone Jun 27, 2024
tgross
tgross approved these changes Jun 27, 2024
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@pkazmierczak pkazmierczak force-pushed the f-docker-windows-hyperv-default branch from 0a842f7 to 05cf093 Compare June 28, 2024 12:53
@pkazmierczak pkazmierczak added the backport/ent/1.6.x+ent Changes are backported to 1.6.x+ent label Jun 28, 2024
@pkazmierczak pkazmierczak merged commit d5e1515 into main Jul 1, 2024
21 checks passed
@pkazmierczak pkazmierczak deleted the f-docker-windows-hyperv-default branch July 1, 2024 06:56
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Jul 1, 2024
Merged
@josegonzalez
Copy link
Contributor

Was the breaking change necessary for a security reason? It seems weird to have otherwise ported a breaking change across several releases otherwise.

@pkazmierczak
Copy link
Contributor Author

Hey @josegonzalez, this change is part of a larger effort to mitigate GHSA-c866-8gpw-p3mv. Our initial solution caused some problems for Windows users that ran containers using process isolation. We now provided a solution for process isolation containers, but decided to default to hyper-v since it's not vulnerable to CVE-2024-1329 in the first place and provides a more secure, better default.

@tgross
Copy link
Member

tgross commented Jul 19, 2024

To add to that, we can assure you that making a breaking change here was not considered lightly. We had no way of fixing the initial solution we had and even our partners at Microsoft were unable to help. So this change was the only way to get template rendering for Windows users into an unbroken state without reintroducing CVE-2024-1329 (which is a critical pwn-the-whole-host vulnerability).

@josegonzalez
Copy link
Contributor

Should that have been called out as a breaking security-related change then? ATM without extra context, it just looks like ya'll broke BC for no apparent reason (the reasoning is ~fine I suppose).

@tgross
Copy link
Member

tgross commented Jul 25, 2024

Fair enough, done. You'll also be interested to see the new page we just published with upcoming deprecations/compatibility items: https://developer.hashicorp.com/nomad/docs/release-notes/nomad/upcoming

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgross tgross tgross approved these changes

@angrycub angrycub Awaiting requested review from angrycub

Assignees
No one assigned
Labels
backport/ent/1.6.x+ent Changes are backported to 1.6.x+ent backport/ent/1.7.x+ent Changes are backported to 1.7.x+ent backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/1.8.x backport to 1.8.x release line
Projects
None yet
Milestone
1.8.2
Development

Successfully merging this pull request may close these issues.
3 participants
@pkazmierczak @josegonzalez @tgross