Version bump of runc on stable branch
25 views
Skip to first unread message
Ron Gutierrez
May 20, 2019, 2:13:55 PM5/20/19
to CoreOS Dev
Hi,
We need to run an upgraded version of runc to pickup a bug fix related to a race condition that occurs under heavy load. This bug fix was included in the runc 1.0-rc7 release. This release also contained the runc vulnerability patch (CVE-2019-5736). We were hoping that by upgrading to the latest stable we would receive a runc bump along with the Docker version bump to 18.06.3 but it doesn't look like that is the case. It looks like the runc used by CoreOS is a self packaged version and you applied the CVE patch without also doing a version bump.
Are there any short term plans to bump the runc version to >= 1.0-rc7?
Is there a way for us to easily override the runc package on our CoreOS builds? If so, would this be relatively safe or are there known issues with that version of runc and that is why a version bump wasn't done for the CVE-2019-5736 patch?
David Michael
May 20, 2019, 2:27:43 PM5/20/19
to coreo...@googlegroups.com
On Mon, May 20, 2019 at 2:14 PM Ron Gutierrez <rgut...@gmail.com> wrote:
> Hi,
>
> We need to run an upgraded version of runc to pickup a bug fix related to a race condition that occurs under heavy load. This bug fix was included in the runc 1.0-rc7 release. This release also contained the runc vulnerability patch (CVE-2019-5736). We were hoping that by upgrading to the latest stable we would receive a runc bump along with the Docker version bump to 18.06.3 but it doesn't look like that is the case. It looks like the runc used by CoreOS is a self packaged version and you applied the CVE patch without also doing a version bump.
>
> Are there any short term plans to bump the runc version to >= 1.0-rc7?
No, see https://github.com/coreos/coreos-overlay/pull/3477 .
> Hi,
>
> We need to run an upgraded version of runc to pickup a bug fix related to a race condition that occurs under heavy load. This bug fix was included in the runc 1.0-rc7 release. This release also contained the runc vulnerability patch (CVE-2019-5736). We were hoping that by upgrading to the latest stable we would receive a runc bump along with the Docker version bump to 18.06.3 but it doesn't look like that is the case. It looks like the runc used by CoreOS is a self packaged version and you applied the CVE patch without also doing a version bump.
>
> Are there any short term plans to bump the runc version to >= 1.0-rc7?
> Is there a way for us to easily override the runc package on our CoreOS builds?
the versions you want. I don't know of issues with runc
specifiically, but updating in general beyond 18.06 causes random
segfaults (mostly with resource limiting flags).
> If so, would this be relatively safe or are there known issues with that version of runc and that is why a version bump wasn't done for the CVE-2019-5736 patch?
runc version always matches the one shipped with the Docker version.
Thanks.
David
Ron Gutierrez
May 20, 2019, 3:11:29 PM5/20/19
to coreo...@googlegroups.com
Thanks for the response!
Looking that the reference git sha that we bumped it appears like it wasn't a runc version bump but it just applied some patches.
Yea, you are right about the runc and docker versions. I made a mistake in the way I interpreted this PR to docker (https://github.com/docker/engine/commit/cbe11bdc6da871bdce0993fddb4ff8a29c476a63) and was just looking at the commit date and assumed the version bump.
Looking that the reference git sha that we bumped it appears like it wasn't a runc version bump but it just applied some patches.
Since moving to docker 18.09 appears to be off limits. Is it possible to only override the runc version without also upgrading docker?
--
You received this message because you are subscribed to the Google Groups "CoreOS Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/coreos-dev/CA%2BsZQ%2BnAAc9MDax44BXa3%2BYEyNdpw%3DE1aRKsHoG-Ax%2B0AuLBgg%40mail.gmail.com.
Ron Gutierrez
David Michael
May 20, 2019, 4:25:22 PM5/20/19
to coreo...@googlegroups.com
On Mon, May 20, 2019 at 3:11 PM Ron Gutierrez <rgut...@gmail.com> wrote:
> Thanks for the response!
>
> Yea, you are right about the runc and docker versions. I made a mistake in the way I interpreted this PR to docker (https://github.com/docker/engine/commit/cbe11bdc6da871bdce0993fddb4ff8a29c476a63) and was just looking at the commit date and assumed the version bump.
>
> Looking that the reference git sha that we bumped it appears like it wasn't a runc version bump but it just applied some patches.
>
> Since moving to docker 18.09 appears to be off limits. Is it possible to only override the runc version without also upgrading docker?
There is no technical limitation that pins the runc version, so you
> Thanks for the response!
>
> Yea, you are right about the runc and docker versions. I made a mistake in the way I interpreted this PR to docker (https://github.com/docker/engine/commit/cbe11bdc6da871bdce0993fddb4ff8a29c476a63) and was just looking at the commit date and assumed the version bump.
>
> Looking that the reference git sha that we bumped it appears like it wasn't a runc version bump but it just applied some patches.
>
> Since moving to docker 18.09 appears to be off limits. Is it possible to only override the runc version without also upgrading docker?
can set it to whatever you want. Follow the usual SDK steps at
https://coreos.com/os/docs/latest/sdk-modifying-coreos.html except the
torcx images are created by build_packages under src/build, so you
don't have to continue to build the OS image. The torcx image can
then be copied into place at /var/lib/torcx/store on your systems.
Thanks.
David
Reply all
Reply to author
Forward
0 new messages