Fix race checking for process exit and waiting for exec fifo #2185
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
liggitt
force-pushed
the
exec-race
branch
3 times, most recently
from
22e2d2d
to
928cf56
Compare
Signed-off-by: Jordan Liggitt <[email protected]>
liggitt
changed the title
Closed
16 tasks
liggitt
changed the title
Signed-off-by: Jordan Liggitt <[email protected]>
liggitt
changed the title
|
cc @crosbymichael @mrunalp as approvers on the introducing PR (#1698) |
|
I am away this week and have only phone access. This looks fine from a quick look but would let other maintainers review it deeper. Thanks! |
|
Adding a check after detecting the process is gone sounds good. |
|
LGTM |
3 tasks
|
LGTM |
|
Thank you all for the reviews. I'm working on getting this propagated into containerd/docker versions we use for CI in Kubernetes, since our test scenarios trigger this bug frequently. Is there an existing timeframe for the next tagged version of runc, or is that done on an as-needed basis? |
It's mostly done on an as-needed basis, but right now we are all waiting (with bated breath) for opencontainers/runtime-spec#1008 to be merged so that runc can finally have a |
|
That context is helpful, thanks. I don't have a good sense for how much work opencontainers/runtime-spec#1008 will require in this repo before a 1.0 tag could be cut, or from downstream consumers before that 1.0 tag could be consumed... if it's O(weeks), an earlier RC tag would be appreciated if possible. |
|
It will definitely be O(weeks) -- especially given the time of year. In that case, I will first try to get a fix for CVE-2019-19921 merged first (probably closer to a week unless we have long arguments about the solution) and then do an |
|
Thanks, much appreciated |
Considering that it's taken 2 years to sort out the hooks (more or less), shouldn't there be an |
Yeah, that's mostly likely what we'll end up doing.
😭 😭 😭 😭 |
|
@cyphar any estimate on getting this in a tagged release? |
|
from #2185 (comment)
For anyone following along, it looks like that is being discussed/tracked in #2197 (comment) |
dims
added a commit
to dims/containerd
that referenced
this pull request
Jan 25, 2020
We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185 The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Davanum Srinivas <[email protected]>
dims
added a commit
to dims/containerd
that referenced
this pull request
Jan 25, 2020
We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185 The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Davanum Srinivas <[email protected]> (cherry picked from commit 923c05b) Signed-off-by: Davanum Srinivas <[email protected]>
dims
added a commit
to dims/containerd
that referenced
this pull request
Jan 25, 2020
We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185 The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Davanum Srinivas <[email protected]> (cherry picked from commit 923c05b) Signed-off-by: Davanum Srinivas <[email protected]>
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Jan 25, 2020
Notable changes: * Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207 * Fix exec FIFO race: opencontainers/runc#2185 * Basic support for cgroup v2. Almost feature-complete, but still missing support for systemd mode in rootless. See also opencontainers/runc#2209 for the known issues. Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Akihiro Suda <[email protected]> Upstream-commit: cd43c1d1ac81a37dc8f9aad16d33949df80ac5b9 Component: engine
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Jan 25, 2020
Notable changes: * Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207 * Fix exec FIFO race: opencontainers/runc#2185 * Basic support for cgroup v2. Almost feature-complete, but still missing support for systemd mode in rootless. See also opencontainers/runc#2209 for the known issues. Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18 (See containerd/cri#1383 (comment)) Signed-off-by: Akihiro Suda <[email protected]> Upstream-commit: 6d6808090736ac76e908e78aa6894f5586c7d243 Component: engine
thaJeztah
pushed a commit
to thaJeztah/docker
that referenced
this pull request
Feb 4, 2020
Notable changes: * Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207 * Fix exec FIFO race: opencontainers/runc#2185 * Basic support for cgroup v2. Almost feature-complete, but still missing support for systemd mode in rootless. See also opencontainers/runc#2209 for the known issues. Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit cd43c1d) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
pushed a commit
to thaJeztah/docker
that referenced
this pull request
Feb 4, 2020
Notable changes: * Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207 * Fix exec FIFO race: opencontainers/runc#2185 * Basic support for cgroup v2. Almost feature-complete, but still missing support for systemd mode in rootless. See also opencontainers/runc#2209 for the known issues. Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18 (See containerd/cri#1383 (comment)) Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit 6d68080) Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Feb 5, 2020
Notable changes: * Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207 * Fix exec FIFO race: opencontainers/runc#2185 * Basic support for cgroup v2. Almost feature-complete, but still missing support for systemd mode in rootless. See also opencontainers/runc#2209 for the known issues. Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit cd43c1d1ac81a37dc8f9aad16d33949df80ac5b9) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 3bd1759f804a53d15685e22eab7d609bb1fa556b Component: engine
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Feb 5, 2020
Notable changes: * Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207 * Fix exec FIFO race: opencontainers/runc#2185 * Basic support for cgroup v2. Almost feature-complete, but still missing support for systemd mode in rootless. See also opencontainers/runc#2209 for the known issues. Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18 (See containerd/cri#1383 (comment)) Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit 6d6808090736ac76e908e78aa6894f5586c7d243) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: d3dab1f618d6e8c81d0704ac4e93bb2843c2dadf Component: engine
tedyu
reviewed
Feb 27, 2020
| return result.err | ||
| } | ||
| f := result.file | ||
| defer f.Close() |
There was a problem hiding this comment.
I wonder if this deferred close would function correctly w.r.t. the os.Remove call a few lines down.
On windows, we cannot rename/delete/move a file with open file handles.
Should the code be refactored so that this works on all platforms ?
Thanks
There was a problem hiding this comment.
This is moving existing code that was previously on line 279. It is also explicitly in a file that it only runs on Linux.
There was a problem hiding this comment.
Should have placed my previous comment on the original code.
This was referenced Jun 2, 2020
build(deps): bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc90
containers/storage#638
Merged
bors bot
added a commit
to containers/buildah
that referenced
this pull request
Jun 8, 2020
2396: Bump github.com/containers/storage from 1.20.1 to 1.20.2 r=rhatdan a=dependabot-preview[bot] Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.20.1 to 1.20.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/containers/storage/releases">github.com/containers/storage's releases</a>.</em></p> <blockquote> <h2>v1.20.2</h2> <pre><code>Add back skip_mount_home Update git validation EPOCH build(deps): bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc90 build(deps): bump github.com/klauspost/compress from 1.10.5 to 1.10.7 build(deps): bump github.com/stretchr/testify from 1.5.1 to 1.6.0 unbreak build on mipsen </code></pre> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/containers/storage/commit/e43b6d0a370bf26e3147f3ab10fad29cc25620f9"><code>e43b6d0</code></a> Bump to v1.20.2</li> <li><a href="https://github.com/containers/storage/commit/80f21246e8e6ec24acf10a2d083573ed55b4c60f"><code>80f2124</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/639">#639</a> from rhatdan/skip</li> <li><a href="https://github.com/containers/storage/commit/0bfdcdb942abc97a6f9c3a63c4c4b77dc849450b"><code>0bfdcdb</code></a> Add back skip_mount_home</li> <li><a href="https://github.com/containers/storage/commit/aa26d1860a7ab2f1a79c79d9beac8ab01c9a64a0"><code>aa26d18</code></a> Update git validation EPOCH</li> <li><a href="https://github.com/containers/storage/commit/8fad529da3a4e5dbcb3f1fc1bc009bc857a4968b"><code>8fad529</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/637">#637</a> from containers/dependabot/go_modules/github.com/klau...</li> <li><a href="https://github.com/containers/storage/commit/17acc0ffa10e07fd71a8d84161e269564b72b90d"><code>17acc0f</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/638">#638</a> from containers/dependabot/go_modules/github.com/open...</li> <li><a href="https://github.com/containers/storage/commit/24e8e852d0dc09a1cef1ebe9a20446c83129470a"><code>24e8e85</code></a> build(deps): bump github.com/opencontainers/runc</li> <li><a href="https://github.com/containers/storage/commit/b9dafa698726b5f070599dde6038999cf62c83c2"><code>b9dafa6</code></a> build(deps): bump github.com/klauspost/compress from 1.10.6 to 1.10.7</li> <li><a href="https://github.com/containers/storage/commit/873116d157fad490a878cdfd0277dc3fc0c34950"><code>873116d</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/636">#636</a> from containers/dependabot/go_modules/github.com/stre...</li> <li><a href="https://github.com/containers/storage/commit/0a7c48440c25ec26b4a710c03c957e665f4b2649"><code>0a7c484</code></a> build(deps): bump github.com/stretchr/testify from 1.5.1 to 1.6.0</li> <li>Additional commits viewable in <a href="https://github.com/containers/storage/compare/v1.20.1...v1.20.2">compare view</a></li> </ul> </details> <br /> [](https://dependabot.com/compatibility-score/?dependency-name=github.com/containers/storage&package-manager=go_modules&previous-version=1.20.1&new-version=1.20.2) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) </details> 2397: Bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc90 r=rhatdan a=dependabot-preview[bot] Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.0-rc9 to 1.0.0-rc90. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/opencontainers/runc/releases">github.com/opencontainers/runc's releases</a>.</em></p> <blockquote> <h2>runc 1.0-rc90 -- "We Have To Go Back!"</h2> <p>This release is <em>identical</em> to v1.0.0-rc10 (and thus the version string in the binary will be v1.0.0-rc10).</p> <p>The purpose of this release is to resolve an issue with our versioning scheme (in particular, the format we've used under SemVer means that the "-rcNN" string suffix is sorted lexicographically rather than in the classic <code>sort -V</code> order).</p> <p>Because we cannot do a post-1.0 release yet, this is a workaround to make sure that systems such as Go modules correctly update to the latest runc release. See <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2399">#2399</a> for more details.</p> <p>The next release (which would've originally been called -rc11) will be 1.0.0-rc91. I'm sorry.</p> <p>Signed-off-by: Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></p> <h2>runc 1.0-rc10 -- "Procfs Strikes Back"</h2> <p>This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given that the <a href="https://github-redirect.dependabot.com/opencontainers/runtime-spec/pull/1008">relevant runtime-spec PR which was considered a blocker has been merged</a> the next rc release of runc should be the last one before 1.0.0.</p> <p>Other notable changes include:</p> <ul> <li>Fixing an exec-fifo race that could be triggered under Kubernetes (opencontainers/runc#2185).</li> <li>Partial cgroupv2 support (opencontainers/runc#2209 for remaining issues).</li> </ul> <p>Thanks to the following people who made this release possible:</p> <ul> <li>Akihiro Suda <a href="mailto:[email protected]">[email protected]</a></li> <li>Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></li> <li>James Peach <a href="mailto:[email protected]">[email protected]</a></li> <li>Jordan Liggitt <a href="mailto:[email protected]">[email protected]</a></li> <li>Julia Nedialkova <a href="mailto:[email protected]">[email protected]</a></li> <li>Julio Montes <a href="mailto:[email protected]">[email protected]</a></li> <li>Kevin Kelani <a href="mailto:[email protected]">[email protected]</a></li> <li>Kurnia D Win <a href="mailto:[email protected]">[email protected]</a></li> <li>Manuel Rüger <a href="mailto:[email protected]">[email protected]</a></li> <li>Michael Crosby <a href="mailto:[email protected]">[email protected]</a></li> <li>Mrunal Patel <a href="mailto:[email protected]">[email protected]</a></li> <li>Qiang Huang <a href="mailto:[email protected]">[email protected]</a></li> <li>Radostin Stoyanov <a href="mailto:[email protected]">[email protected]</a></li> <li>Sascha Grunert <a href="mailto:[email protected]">[email protected]</a></li> <li>tianye15 <a href="mailto:[email protected]">[email protected]</a></li> </ul> <p>Vote: <code>+4 -0 [#1](https://github.com/opencontainers/runc/issues/1)</code> Signed-off-by: Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></p> </tr></table> ... (truncated) </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/opencontainers/runc/commit/dc9208a3303feef5b3839f4323d9beb36df0a9dd"><code>dc9208a</code></a> VERSION: update to 1.0.0~rc10</li> <li><a href="https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0"><code>2fc03cc</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2207">#2207</a> from cyphar/fix-double-volume-attack</li> <li><a href="https://github.com/opencontainers/runc/commit/3291d66b98445bd7f7d02eac7f2bca2ac2c56942"><code>3291d66</code></a> rootfs: do not permit /proc mounts to non-directories</li> <li><a href="https://github.com/opencontainers/runc/commit/f6fb7a0338c3ea8488bd9bd7cc7667b113aff8d8"><code>f6fb7a0</code></a> merge branch 'pr-2133'</li> <li><a href="https://github.com/opencontainers/runc/commit/709377ca558df88ea538852c9310b700f140fc9b"><code>709377c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2198">#2198</a> from AkihiroSuda/criu-master</li> <li><a href="https://github.com/opencontainers/runc/commit/55f8c254beb00f916c115a7034f7eee0cfd657a1"><code>55f8c25</code></a> temporarily disable CRIU tests</li> <li><a href="https://github.com/opencontainers/runc/commit/5c20ea1472dbeeebdb1bcef31a09888890a25b3a"><code>5c20ea1</code></a> fix merging <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> and <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a></li> <li><a href="https://github.com/opencontainers/runc/commit/5cc0deaf7a089a91a5ce4b81f835b64fcc4778d6"><code>5cc0dea</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a> from AkihiroSuda/split-fs</li> <li><a href="https://github.com/opencontainers/runc/commit/2b52db75279ca687e18156de86d845876e9ef35d"><code>2b52db7</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> from devimc/topic/libcontainer/kata-containers</li> <li><a href="https://github.com/opencontainers/runc/commit/a88592a63474e6976030b4fbded41dd445152236"><code>a88592a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2185">#2185</a> from liggitt/exec-race</li> <li>Additional commits viewable in <a href="https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc90">compare view</a></li> </ul> </details> <br /> [](https://dependabot.com/compatibility-score/?dependency-name=github.com/opencontainers/runc&package-manager=go_modules&previous-version=1.0.0-rc9&new-version=1.0.0-rc90) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) </details> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
bors bot
added a commit
to containers/buildah
that referenced
this pull request
Jun 8, 2020
2397: Bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc90 r=rhatdan a=dependabot-preview[bot] Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.0-rc9 to 1.0.0-rc90. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/opencontainers/runc/releases">github.com/opencontainers/runc's releases</a>.</em></p> <blockquote> <h2>runc 1.0-rc90 -- "We Have To Go Back!"</h2> <p>This release is <em>identical</em> to v1.0.0-rc10 (and thus the version string in the binary will be v1.0.0-rc10).</p> <p>The purpose of this release is to resolve an issue with our versioning scheme (in particular, the format we've used under SemVer means that the "-rcNN" string suffix is sorted lexicographically rather than in the classic <code>sort -V</code> order).</p> <p>Because we cannot do a post-1.0 release yet, this is a workaround to make sure that systems such as Go modules correctly update to the latest runc release. See <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2399">#2399</a> for more details.</p> <p>The next release (which would've originally been called -rc11) will be 1.0.0-rc91. I'm sorry.</p> <p>Signed-off-by: Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></p> <h2>runc 1.0-rc10 -- "Procfs Strikes Back"</h2> <p>This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given that the <a href="https://github-redirect.dependabot.com/opencontainers/runtime-spec/pull/1008">relevant runtime-spec PR which was considered a blocker has been merged</a> the next rc release of runc should be the last one before 1.0.0.</p> <p>Other notable changes include:</p> <ul> <li>Fixing an exec-fifo race that could be triggered under Kubernetes (opencontainers/runc#2185).</li> <li>Partial cgroupv2 support (opencontainers/runc#2209 for remaining issues).</li> </ul> <p>Thanks to the following people who made this release possible:</p> <ul> <li>Akihiro Suda <a href="mailto:[email protected]">[email protected]</a></li> <li>Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></li> <li>James Peach <a href="mailto:[email protected]">[email protected]</a></li> <li>Jordan Liggitt <a href="mailto:[email protected]">[email protected]</a></li> <li>Julia Nedialkova <a href="mailto:[email protected]">[email protected]</a></li> <li>Julio Montes <a href="mailto:[email protected]">[email protected]</a></li> <li>Kevin Kelani <a href="mailto:[email protected]">[email protected]</a></li> <li>Kurnia D Win <a href="mailto:[email protected]">[email protected]</a></li> <li>Manuel Rüger <a href="mailto:[email protected]">[email protected]</a></li> <li>Michael Crosby <a href="mailto:[email protected]">[email protected]</a></li> <li>Mrunal Patel <a href="mailto:[email protected]">[email protected]</a></li> <li>Qiang Huang <a href="mailto:[email protected]">[email protected]</a></li> <li>Radostin Stoyanov <a href="mailto:[email protected]">[email protected]</a></li> <li>Sascha Grunert <a href="mailto:[email protected]">[email protected]</a></li> <li>tianye15 <a href="mailto:[email protected]">[email protected]</a></li> </ul> <p>Vote: <code>+4 -0 [#1](https://github.com/opencontainers/runc/issues/1)</code> Signed-off-by: Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></p> </tr></table> ... (truncated) </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/opencontainers/runc/commit/dc9208a3303feef5b3839f4323d9beb36df0a9dd"><code>dc9208a</code></a> VERSION: update to 1.0.0~rc10</li> <li><a href="https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0"><code>2fc03cc</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2207">#2207</a> from cyphar/fix-double-volume-attack</li> <li><a href="https://github.com/opencontainers/runc/commit/3291d66b98445bd7f7d02eac7f2bca2ac2c56942"><code>3291d66</code></a> rootfs: do not permit /proc mounts to non-directories</li> <li><a href="https://github.com/opencontainers/runc/commit/f6fb7a0338c3ea8488bd9bd7cc7667b113aff8d8"><code>f6fb7a0</code></a> merge branch 'pr-2133'</li> <li><a href="https://github.com/opencontainers/runc/commit/709377ca558df88ea538852c9310b700f140fc9b"><code>709377c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2198">#2198</a> from AkihiroSuda/criu-master</li> <li><a href="https://github.com/opencontainers/runc/commit/55f8c254beb00f916c115a7034f7eee0cfd657a1"><code>55f8c25</code></a> temporarily disable CRIU tests</li> <li><a href="https://github.com/opencontainers/runc/commit/5c20ea1472dbeeebdb1bcef31a09888890a25b3a"><code>5c20ea1</code></a> fix merging <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> and <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a></li> <li><a href="https://github.com/opencontainers/runc/commit/5cc0deaf7a089a91a5ce4b81f835b64fcc4778d6"><code>5cc0dea</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a> from AkihiroSuda/split-fs</li> <li><a href="https://github.com/opencontainers/runc/commit/2b52db75279ca687e18156de86d845876e9ef35d"><code>2b52db7</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> from devimc/topic/libcontainer/kata-containers</li> <li><a href="https://github.com/opencontainers/runc/commit/a88592a63474e6976030b4fbded41dd445152236"><code>a88592a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2185">#2185</a> from liggitt/exec-race</li> <li>Additional commits viewable in <a href="https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc90">compare view</a></li> </ul> </details> <br /> [](https://dependabot.com/compatibility-score/?dependency-name=github.com/opencontainers/runc&package-manager=go_modules&previous-version=1.0.0-rc9&new-version=1.0.0-rc90) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) </details> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
fahedouch
pushed a commit
to fahedouch/containerd
that referenced
this pull request
Aug 7, 2020
We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185 The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Davanum Srinivas <[email protected]>
tussennet
pushed a commit
to tussennet/containerd
that referenced
this pull request
Sep 11, 2020
We have a new release of runc ( opencontainers/runc#2217 ). This release has a fix for a race condition we are struggling with in kubernetes (especially CI jobs) which was fixed in opencontainers/runc#2185 The v1.0.0-rc10 includes the fix for CVE-2019-19921 as well. The full diff upstream is here: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10 Signed-off-by: Davanum Srinivas <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #2183, a race condition in checking for a dead process while waiting for the exec fifo to open:
To test this, I inserted a synthetic 150ms delay in the awaitFifoOpen path after opening the fifo (simulating a slow send on the fifoOpened channel losing the race to the 100ms dead process detection timeout), and the integration suite passed (this PR includes #2186 which fixes an existing race condition in one of the integration tests).
When I insert the same simulated race in master, 14 integration tests fail with "container is already dead" errors.
Still working out a way to unit/integration test this without modifying non-test code like that.
cc @Random-Liu