On Mon, May 20, 2019 at 2:14 PM Ron Gutierrez <
rgut...@gmail.com> wrote:
> Hi,
>
> We need to run an upgraded version of runc to pickup a bug fix related to a race condition that occurs under heavy load. This bug fix was included in the runc 1.0-rc7 release. This release also contained the runc vulnerability patch (CVE-2019-5736). We were hoping that by upgrading to the latest stable we would receive a runc bump along with the Docker version bump to 18.06.3 but it doesn't look like that is the case. It looks like the runc used by CoreOS is a self packaged version and you applied the CVE patch without also doing a version bump.
>
> Are there any short term plans to bump the runc version to >= 1.0-rc7?
No, see
https://github.com/coreos/coreos-overlay/pull/3477 .
> Is there a way for us to easily override the runc package on our CoreOS builds?
You can create your own Docker torcx image based on that PR and use
the versions you want. I don't know of issues with runc
specifiically, but updating in general beyond 18.06 causes random
segfaults (mostly with resource limiting flags).
> If so, would this be relatively safe or are there known issues with that version of runc and that is why a version bump wasn't done for the CVE-2019-5736 patch?
There was a version bump to 18.06.3 for the CVE. The Container Linux
runc version always matches the one shipped with the Docker version.
Thanks.
David