| tag | fe646b92536552229afc01b943a4fe2115009173 | |
|---|---|---|
| tagger | Aleksa Sarai <asarai@suse.de> | Thu Mar 28 15:14:39 2019 |
| object | 69ae5da6afdcaaf38285a10b36f362e41cb298d6 |
v1.0.0~rc7
Due to CVE-2019-5736, we had to do another -rc release so users can update. We
hope to be able to release 1.0.0 in the near future (there is still an
outstanding spec-compliance issue with OCI hooks which we need to resolve
first).
This also updates runc to a vendored commit of the runtime-spec rather than a
full release, which will hopefully be rectified with runc 1.0.0. #k
Security:
+ Mitigate CVE-2019-5736. This is an updated version of the patch series sent
out on openwall and we encourage users to update. #1982 #1984
NOTE: This mitigation *WILL NOT WORK* if you run untrusted containers with
host uid 0 and give them CAP_SYS_ADMIN (the protection operates
through a hidden read-only bind-mount which can be re-mounted by
CAP_SYS_ADMIN privileged users).
Put simply -- we consider granting CAP_SYS_ADMIN to untrusted
containers without user namespaces to be fundamentally insecure, as
such we do not consider this to be a security issue.
If you want an additional host-level mitigation, use `chattr +i` on
the host file to ensure containers without CAP_LINUX_IMMUTABLE cannot
write to it -- even with CAP_SYS_ADMIN. But as above, if you give
CAP_LINUX_IMMUTABLE to a container you will have problems.
An alternative is to bind-mount a sealed memfd copy of the runc
binary over the binary (runc will detect this and will not attempt
further mitigation, because sealed memfds are fundamentally
unmodifiable) but this requires more in-depth work by administrators.
+ There appear to be production users of --no-pivot-root, which is something
that we absolutely recommend against and do not consider to be a secure
configuration -- since pivot_root(2) has many security properties that are
not possible to provide with just chroot(2).
However, a specific issue was discovered which we decided to mitigate in
order to avoid production users being exploited by it. This security issue
is *not* elligible for a CVE because it requires an insecure configuration
(--no-pivot-root). #1962
Features:
+ Add intelrdt support for MBA to runc (a new intelrdt feature available in
Linux 4.18+). #1919
+ Add support for specifying a CRIU configuration file for checkpoint/restore
(which makes use of a new org.criu.config annotation). #1933 #1964
+ Add support for "runc exec --preserve-fds". #1995
* Added support for SELinux labeling of keyrings. #2012
Fixes:
* Correct handling of "runc kill" when a container is stopped or paused.
#1934 #1943
* Error out if built with nokmem and kmemcg limits were requested. #1939
* Update check-config.sh to be in line with Docker's. #1942
* Improve handling of kmem and the systemd cgroup driver. #1960
* Improve resilience of adding setns tasks to cgroups. #1950
- Remove (broken) detection of .scope for systemd. #1978
* Fix console hanging with preserve-fds, where not enough fds have actually
been provided to runc (which is a very common mistake when using
--preserve-fds). #2000
* Create bind-mounts when restoring. #1968
* Fix regression of zombie "runc init" processes. #2023
Thanks to all of the contributors that made this release possible:
* Ace-Tang <aceapril@126.com>
* Adrian Reber <areber@redhat.com>
* Aleksa Sarai <asarai@suse.de>
* Alex Fang <littlelightlittlefire@gmail.com>
* Christian Brauner <christian.brauner@ubuntu.com>
* Daniel, Dao Quang Minh <dqminh89@gmail.com>
* Daniel J Walsh <dwalsh@redhat.com>
* Filipe Brandenburger <filbranden@google.com>
* Giuseppe Scrivano <gscrivan@redhat.com>
* JoeWrightss <zhoulin.xie@daocloud.io>
* John Howard <jhoward@microsoft.com>
* Justin Cormack <justin.cormack@docker.com>
* Kenta Tada <Kenta.Tada@sony.com>
* Lifubang <lifubang@acmcoder.com>
* Michael Crosby <crosbymichael@gmail.com>
* Mrunal Patel <mrunal@me.com>
* Tom Godkin <tgodkin@pivotal.io>
* Vincent Batts <vbatts@hashbangbash.com>
* Xiaochen Shen <xiaochen.shen@intel.com>
With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have
both decided to give up their maintainership. Thanks for all of your
contributions over the years, and good luck with your future endeavours!
Signed-off-by: Aleksa Sarai <asarai@suse.de>
| commit | 69ae5da6afdcaaf38285a10b36f362e41cb298d6 | [log] [tgz] |
|---|---|---|
| author | Aleksa Sarai <asarai@suse.de> | Thu Mar 28 11:45:53 2019 |
| committer | Aleksa Sarai <asarai@suse.de> | Thu Mar 28 11:45:53 2019 |
| tree | 2dd32ce064b7ba24f7a5cb7a32f46c3b906c732b | |
| parent | 11fc498ffa5c4561eef9242e7f7115d57e57055b [diff] |
VERSION: release v1.0.0-rc7 Signed-off-by: Aleksa Sarai <asarai@suse.de>
runc is a CLI tool for spawning and running containers according to the OCI specification.
runc depends on and tracks the runtime-spec repository. We will try to make sure that runc and the OCI specification major versions stay in lockstep. This means that runc 1.0.0 should implement the 1.0 version of the specification.
You can find official releases of runc on the release page.
Reporting process and disclosure communications are outlined in /org/security
runc currently supports the Linux platform with various architecture support. It must be built with Go version 1.6 or higher in order for some features to function properly.
In order to enable seccomp support you will need to install libseccomp on your platform.
e.g.
libseccomp-develfor CentOS, orlibseccomp-devfor Ubuntu
Otherwise, if you do not want to build runc with seccomp support you can add BUILDTAGS="" when running make.
# create a 'github.com/opencontainers' in your GOPATH/src cd github.com/opencontainers git clone https://github.com/opencontainers/runc cd runc make sudo make install
You can also use go get to install to your GOPATH, assuming that you have a github.com parent folder already created under src:
go get github.com/opencontainers/runc cd $GOPATH/src/github.com/opencontainers/runc make sudo make install
runc will be installed to /usr/local/sbin/runc on your system.
runc supports optional build tags for compiling support of various features. To add build tags to the make option the BUILDTAGS variable must be set.
make BUILDTAGS='seccomp apparmor'
| Build Tag | Feature | Dependency |
|---|---|---|
| seccomp | Syscall filtering | libseccomp |
| selinux | selinux process and mount labeling | |
| apparmor | apparmor profile support | |
| ambient | ambient capability support | kernel 4.3 |
| nokmem | disable kernel memory account |
runc currently supports running its test suite via Docker. To run the suite just type make test.
make test
There are additional make targets for running the tests outside of a container but this is not recommended as the tests are written with the expectation that they can write and remove anywhere.
You can run a specific test case by setting the TESTFLAGS variable.
# make test TESTFLAGS="-run=SomeTestFunction"
You can run a specific integration test by setting the TESTPATH variable.
# make test TESTPATH="/checkpoint.bats"
You can run a test in your proxy environment by setting DOCKER_BUILD_PROXY and DOCKER_RUN_PROXY variables.
# make test DOCKER_BUILD_PROXY="--build-arg HTTP_PROXY=http://yourproxy/" DOCKER_RUN_PROXY="-e HTTP_PROXY=http://yourproxy/"
runc uses vndr for dependencies management. Please refer to vndr for how to add or update new dependencies.
In order to use runc you must have your container in the format of an OCI bundle. If you have Docker installed you can use its export method to acquire a root filesystem from an existing Docker container.
# create the top most bundle directory mkdir /mycontainer cd /mycontainer # create the rootfs directory mkdir rootfs # export busybox via Docker into the rootfs directory docker export $(docker create busybox) | tar -C rootfs -xvf -
After a root filesystem is populated you just generate a spec in the format of a config.json file inside your bundle. runc provides a spec command to generate a base template spec that you are then able to edit. To find features and documentation for fields in the spec please refer to the specs repository.
runc spec
Assuming you have an OCI bundle from the previous step you can execute the container in two different ways.
The first way is to use the convenience command run that will handle creating, starting, and deleting the container after it exits.
# run as root cd /mycontainer runc run mycontainerid
If you used the unmodified runc spec template this should give you a sh session inside the container.
The second way to start a container is using the specs lifecycle operations. This gives you more power over how the container is created and managed while it is running. This will also launch the container in the background so you will have to edit the config.json to remove the terminal setting for the simple examples here. Your process field in the config.json should look like this below with "terminal": false and "args": ["sleep", "5"].
"process": { "terminal": false, "user": { "uid": 0, "gid": 0 }, "args": [ "sleep", "5" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm" ], "cwd": "/", "capabilities": { "bounding": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "effective": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "inheritable": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "permitted": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "ambient": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ] }, "rlimits": [ { "type": "RLIMIT_NOFILE", "hard": 1024, "soft": 1024 } ], "noNewPrivileges": true },
Now we can go through the lifecycle operations in your shell.
# run as root cd /mycontainer runc create mycontainerid # view the container is created and in the "created" state runc list # start the process inside the container runc start mycontainerid # after 5 seconds view that the container has exited and is now in the stopped state runc list # now delete the container runc delete mycontainerid
This allows higher level systems to augment the containers creation logic with setup of various settings after the container is created and/or before it is deleted. For example, the container's network stack is commonly set up after create but before start.
runc has the ability to run containers without root privileges. This is called rootless. You need to pass some parameters to runc in order to run rootless containers. See below and compare with the previous version. Run the following commands as an ordinary user:
# Same as the first example mkdir ~/mycontainer cd ~/mycontainer mkdir rootfs docker export $(docker create busybox) | tar -C rootfs -xvf - # The --rootless parameter instructs runc spec to generate a configuration for a rootless container, which will allow you to run the container as a non-root user. runc spec --rootless # The --root parameter tells runc where to store the container state. It must be writable by the user. runc --root /tmp/runc run mycontainerid
runc can be used with process supervisors and init systems to ensure that containers are restarted when they exit. An example systemd unit file looks something like this.
[Unit] Description=Start My Container [Service] Type=forking ExecStart=/usr/local/sbin/runc run -d --pid-file /run/mycontainerid.pid mycontainerid ExecStopPost=/usr/local/sbin/runc delete mycontainerid WorkingDirectory=/mycontainer PIDFile=/run/mycontainerid.pid [Install] WantedBy=multi-user.target
The code and docs are released under the Apache 2.0 license.