Update Moby to 20.10.17; containerd to 1.6.6; runc to 1.1.2 #310
Conversation
lmbarros
changed the title
lmbarros
force-pushed
the
20.10.17-balena
branch
3 times, most recently
from
258492b to
6a2fc55
Compare
|
@balena-ci retest |
lmbarros
force-pushed
the
20.10.17-balena
branch
3 times, most recently
from
4a3557f to
812f87f
Compare
lmbarros
force-pushed
the
20.10.17-balena
branch
5 times, most recently
from
54951df to
65384c6
Compare
|
@lmbarros the changes look good to me - I skipped the upstream and vendor refactoring, and scanned though your integration ones. The update is clean and well structured. |
|
Thanks @alexgg ! I have a branch on meta-balena that I created to leverage the OS tests. I think I never got all tests there to pass on a single run, but every time I checked it was caused by one of the few known cases of flaky OS tests. I'll do more extensive tests running on a device. (So far I have just tried very basic things, like starting a container.) |
Hi @tianyuanhao ! We are currently defaulting to the shim runtime v1, which supports only cgroups v1. A colleague has tried to use the shim runtime v2 but run into some issues, so I believe we have some more work to do before we can support cgroups v2. |
lmbarros
force-pushed
the
20.10.17-balena
branch
2 times, most recently
from
9a84ae1 to
c8e8ac3
Compare
lmbarros
force-pushed
the
20.10.17-balena
branch
from
c8e8ac3 to
3a9bd18
Compare
lmbarros
force-pushed
the
20.10.17-balena
branch
from
b052242 to
5dcf2ff
Compare
|
It's ongoing, @ab77 . This update has broken our aarch64 CI tests, apparently because of the AppArmor config on the kernel used for generic-aarch64. This specif point is being discussed here: https://balena.zulipchat.com/#narrow/stream/345889-loop.2Fbalena-os/topic/qemu-generic-aarch64.20and.20AppArmor |
|
What's wrong with the Engine on balena-builder now? |
Is there a quick way we can build the binaries for v19.03.16 manually (47b47a6) and publish a GitHub release? that would unblock the builder without having to roll back its Dockerfile and build the engine in there from source. |
Tried a quick local build of this release and it failed (didn't dig into why, apparently some dependencies weren't found). Why do you need this version specifically? It's almost 2 years old. Why did you asked about this specific PR? If this PR would work for you, a newer Engine version should work, too. |
|
@lmbarros this is the last builder commit known to work: https://github.com/balena-io/balena-builder/commit/d6af534f0cb9c5733b5a1a095bea70894a9c8aa2 It contains engine build from the commit I posted. |
go1.17.10 (released 2022-05-10) includes security fixes to the syscall package, as well as bug fixes to the compiler, runtime, and the crypto/x509 and net/http/httptest packages. See the Go 1.17.10 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.10+label%3ACherryPickApproved Full diff: http://github.com/golang/go/compare/go1.17.9...go1.17.10 Includes fixes for: - CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526); (description at https://go.dev/issue/52313). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes fixes for: - CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526); (description at https://go.dev/issue/52313). full diff: golang/sys@63515b4...33da011 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The correct name for this property is, and always was "Reservations" Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
…< v1.42 These query-args were documented, but not actually supported until ea67601 (API v1.42). This removes them from the documentation, as these arguments were ignored (and defaulted to `true` (enabled)) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit a5a7797) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
go1.17.11 (released 2022-06-01) includes security fixes to the crypto/rand, crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the crypto/tls package. See the Go 1.17.11 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.17.11+label%3ACherryPickApproved Hello gophers, We have just released Go versions 1.18.3 and 1.17.11, minor point releases. These minor releases include 4 security fixes following the security policy: - crypto/rand: rand.Read hangs with extremely large buffers On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes. Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset, for reporting this issue. This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561. - crypto/tls: session tickets lack random ticket_age_add Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. Thanks to GitHub user nervuri for reporting this. This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814. - `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput` are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed. Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting this. This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574. - `path/filepath`: Clean(`.\c:`) returns `c:` on Windows On Windows, the `filepath.Clean` function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`. Thanks to Unrud for reporting this issue. This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476. [CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634 [CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629 [CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580 [CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
Because FreeBSD uses 64-bit device nodes (see https://reviews.freebsd.org/rS318736), Linux implementation of `system.Mknod` & `system.Mkdev` is not sufficient. This change adds freebsd-specific implementations for `Mknod` and Mkdev`. Signed-off-by: Artem Khramov <akhramov@pm.me> (cherry picked from commit f3d3994) Signed-off-by: Doug Rabson <dfr@rabson.org>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 26dafe4) Signed-off-by: Doug Rabson <dfr@rabson.org>
This is the second patch release of the runc 1.1 release branch. It fixes CVE-2022-29162, a minor security issue (which appears to not be exploitable) related to process capabilities. This is a similar bug to the ones found and fixed in Docker and containerd recently (CVE-2022-24769). - A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162. - runc spec no longer sets any inheritable capabilities in the created example OCI spec (config.json) file. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit bc0fd3f) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Welcome to the v1.6.5 release of containerd! The fifth patch release for containerd 1.6 includes a few fixes and updated version of runc. Notable Updates - Fix for older CNI plugins not reporting version - Fix mount path handling for CRI plugin on Windows Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit a747cd370234fb9c15353e62903fa91fad734682) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Welcome to the v1.6.6 release of containerd! The sixth patch release for containerd 1.6 includes a fix for [CVE-2022-31030](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31030). Notable Updates - Fix ExecSync handler to cap console output size ([GHSA-5ffw-gxpp-mxpf](GHSA-5ffw-gxpp-mxpf)) full diff: containerd/containerd@v1.6.5...v1.6.6 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit a7e3182757ca20217032cdf5bc04e61e528c2dfa) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The versions of containerd and runc we are updating to depend upon new versions of several packages. This commit updates these packages. Signed-off-by: Leandro Motta Barros <leandro@balena.io> Change-type: patch
Re-vendor after updating several dependencies in the previous commit. Signed-off-by: Leandro Motta Barros <leandro@balena.io> Change-type: patch
Small changes to keep our code closer to Moby's.
Some of the updated dependencies introduced breaking changes. This commit deals with the compilation errors that thus arose in our code. Signed-off-by: Leandro Motta Barros <leandro@balena.io> Change-type: patch
This is just disabling integration tests that rely on features we do not support. We did this previously (see 088d3ee), here we just doing the same thing for test cases introduced since then. Signed-off-by: Leandro Motta Barros <leandro@balena.io> Change-type: patch
Many uses of `balena-engine update` were failing, including a bunch of integration tests. The reason is explained below. The new version of runc we are using changed the way it handles command-line arguments -- particularly, how one needs to pass `-` to mean "read the desired container configuration from the standard input". So, the Engine code was still invoking `runc` using the old syntax, which caused `runc` to fail. This commit just updates the `go-runc` dependency, which is the layer we use to invoke `runc` from Go. This new `go-runc` version contains an update to use the new syntax. Signed-off-by: Leandro Motta Barros <leandro@balena.io> Change-type: patch
The runc/libcontainer apparmor package on master no longer checks if apparmor_parser is enabled, or if we are running docker-in-docker. While those checks are not relevant to runc (as it doesn't load the profile), these checks _are_ relevant to us (and containerd). So switching to use the containerd apparmor package, which does include the needed checks. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (Cherry-picked from 2834f84, to avoid problems with app armor in some environments -- including balenaOS' CI.)
Also, Go 1.17.x is what Yocto/OpenEmbedded kirkstone uses, so this shall make integration with meta-balena smoother. Signed-off-by: Leandro Motta Barros <leandro@balena.io> Change-type: patch
Signed-off-by: Leandro Motta Barros <leandro@balena.io> Change-type: patch
lmbarros
force-pushed
the
20.10.17-balena
branch
from
5dcf2ff to
dbe291c
Compare
This is currently broken (apparently also upstream). Signed-off-by: Leandro Motta Barros <leandro@balena.io> Change-type: patch
lmbarros
force-pushed
the
20.10.17-balena
branch
from
dbe291c to
ae2500b
Compare
|
@lmbarros I've manually adjusted the pre-release and testing it: |
The main motivation for this PR is to update containerd to the 1.6 release (as the version currently bundled with balenaOS, 1.4, is EOL). The following components were updated:
The PR as a whole is huge, but most of its bulk comes wither from commits merged from upstream Moby or from the one commit re-vendoring the dependencies. All other commits created by me are comparatively simple. I suggest reviewing the commits individually.
Testing:
balena infoand start a hello-world container. No performance differences found compared to the current balenaEngine release.qemu-generic-aarch64tests which are currently unstable. (Anyway, I ran theos,e2e, andhupsuites locally forqemu-generic-aarch64and they passed)Resolves #300
Unblocks: