Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update module github.com/containerd/containerd to v1.7.11 [security] #2200

Merged

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 20, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/containerd/containerd v1.7.6 -> v1.7.11 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-7ww5-4wqc-m92c

/sys/devices/virtual/powercap accessible by default to containers

Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via sysfs. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel.

By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912.

Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios:

  • Unless using user namespaces, root inside a container has the same level of privilege as root outside the container, but with a slightly more narrow view of the system
  • sysfs is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPU

While this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments. This is provided by masking /sys/devices/virtual/powercap in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile.

While sysfs is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such as CAP_SYS_RAWIO which is not available to containers by default, or perf paranoia level less than 1, which is a non-default kernel tunable.

References


Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.11: containerd 1.7.11

Compare Source

Welcome to the v1.7.11 release of containerd!

The eleventh patch release for containerd 1.7 contains various fixes and updates including
one security issue.

Notable Updates
  • Fix Windows default path overwrite issue (#​9440)
  • Update push to always inherit distribution sources from parent (#​9452)
  • Update shim to use net dial for gRPC shim sockets (#​9458)
  • Fix otel version incompatibility (#​9483)
  • Fix Windows snapshotter blocking snapshot GC on remove failure (#​9482)
  • Mask /sys/devices/virtual/powercap path in runtime spec and deny in default apparmor profile (GHSA-7ww5-4wqc-m92c)
Deprecation Warnings
  • Emit deprecation warning for AUFS snapshotter (#​9436)
  • Emit deprecation warning for v1 runtime (#​9450)
  • Emit deprecation warning for deprecated CRI configs (#​9469)
  • Emit deprecation warning for CRI v1alpha1 usage (#​9479)
  • Emit deprecation warning for CRIU config in CRI (#​9481)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Samuel Karp
  • Derek McGowan
  • Phil Estes
  • Bjorn Neergaard
  • Danny Canter
  • Sebastiaan van Stijn
  • ruiwen-zhao
  • Akihiro Suda
  • Amit Barve
  • Charity Kathure
  • Maksym Pavlenko
  • Milas Bowman
  • Paweł Gronowski
  • Wei Fu
Changes
39 commits

  • [release/1.7] Prepare release notes for v1.7.11 (#​9491)
    • dfae68bc3 Prepare release notes for v1.7.11
  • [release/1.7] update to go1.20.12, test go1.21.5 (#​9352)
    • 0d314401d update to go1.20.12, test go1.21.5
    • 1ec1ae2c6 update to go1.20.11, test go1.21.4
  • Github Security Advisory GHSA-7ww5-4wqc-m92c
    • cb804da21 contrib/apparmor: deny /sys/devices/virtual/powercap
    • 40162a576 oci/spec: deny /sys/devices/virtual/powercap
  • [release/1.7] Don't block snapshot garbage collection on Remove failures (#​9482)
    • ed7c6895b Don't block snapshot garbage collection on Remove failures
  • [release/1.7] Add warning for CRIU config usage (#​9481)
    • 1fdefdd22 Add warning for CRIU config usage
  • [release/1.7] Fix otel version incompatibility (#​9483)
    • f8f659e66 Add HTTP client update function to tracing library
    • 807ddd658 fix(tracing): use latest version of semconv
  • [release/1.7] Add cri-api v1alpha2 usage warning to all api calls (#​9479)
    • dc45bc838 Add cri-api v1alpha2 usage warning to all api calls
  • [release/1.7] cri: add deprecation warnings for deprecated CRI configs (#​9469)
    • 9d1bad62e deprecation: fix missing spaces in warnings
    • 51a604c07 cri: add deprecation warning for runtime_root
    • 8040e74bf cri: add deprecation warning for rutnime_engine
    • 99adc40eb cri: add deprecation warning for default_runtime
    • afef7ec64 cri: add warning for untrusted_workload_runtime
    • 6220dc190 cri: add warning for old form of systemd_cgroup
  • [release/1.7] runtime/v2: net.Dial gRPC shim sockets before trying grpc (#​9458)
    • 80f96cd18 runtime/v2: net.Dial gRPC shim sockets before trying grpc
  • [release/1.7] tasks: emit warning for v1 runtime and runc v1 runtime (#​9450)
    • f471bb2b8 tasks: emit warning for runc v1 runtime
    • 329e1d487 tasks: emit warning for v1 runtime
  • [release/1.7] push: always inherit distribution sources from parent (#​9452)
    • 4464fde12 push: always inherit distribution sources from parent
  • [release/1.7] Update tar tests to run on Darwin (#​9451)
    • 7e069ee25 Update tar tests to run on Darwin
  • [release/1.7] ctr: Add sandbox flag to ctr run (#​9449)
  • [release/1.7] Windows default path overwrite fix (#​9440)
    • 31fe03764 Fix windows default path overwrite issue
  • [release/1.7] snapshots: emit deprecation warning for aufs (#​9436)
    • 625b35e4b snapshots: emit deprecation warning for aufs

Dependency Changes
  • github.com/felixge/httpsnoop v1.0.3 new
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 new

Previous release can be found at v1.7.10

v1.7.10: containerd 1.7.10

Compare Source

Welcome to the v1.7.10 release of containerd!

The tenth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates
  • Enhance container image unpack client logs (#​9379)
  • cri: fix using the pinned label to pin image (#​9381)
  • fix: ImagePull should close http connection if there is no available data to read. (#​9409)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Wei Fu
  • Iceber Gu
  • Austin Vazquez
  • Derek McGowan
  • Phil Estes
  • Samuel Karp
  • ruiwen-zhao
Changes
11 commits

  • Add release notes for v1.7.10 (#​9426)
  • [release/1.7] fix: ImagePull should close http connection if there is no available data to read. (#​9409)
  • [release/1.7] cri: fix using the pinned label to pin image (#​9381)
    • a2b16d7f9 cri: fix update of pinned label for images
    • 8dc861844 cri: fix using the pinned label to pin image
  • [release/1.7] Enhance container image unpack client logs (#​9379)
    • 5930a3750 Enhance container image unpack client logs

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.9

v1.7.9: containerd 1.7.9

Compare Source

Welcome to the v1.7.9 release of containerd!

The ninth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates
  • update runc binary to v1.1.10:: (#​9359)
  • vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0 (#​9301)
  • Expose usage of cri-api v1alpha2 (#​9336)
  • integration: deflake TestIssue9103 (#​9354)
  • fix: shimv1 leak issue (#​9344)
  • cri: add deprecation warnings for mirrors, auths, and configs (#​9327)
  • Update hcsshim tag to v0.11.4 (#​9326)
  • Expose usage of deprecated features (#​9315)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Samuel Karp
  • Kazuyoshi Kato
  • Wei Fu
  • Kirtana Ashok
  • Derek McGowan
  • Milas Bowman
  • Sebastiaan van Stijn
  • ruiwen-zhao
Changes
28 commits

  • [release/1.7] Add release notes for v1.7.9 (#​9333)
  • [release/1.7 backport] update runc binary to v1.1.10 (#​9359)
  • [release/1.7] vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0 (#​9301)
    • bd9428ff7 vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0
  • [release/1.7] Expose usage of cri-api v1alpha2 (#​9336)
  • [release/1.7] integration: deflake TestIssue9103 (#​9354)
    • 5dbc258a8 integration: deflake TestIssue9103
  • [release/1.7] fix: shimv1 leak issue (#​9344)
  • [release/1.7] cri: add deprecation warnings for mirrors, auths, and configs (#​9327)
    • 152c57e91 cri: add deprecation warning for configs
    • 689a1036d cri: add deprecation warning for auths
    • 8c38975bf cri: add deprecation warning for mirrors
    • 1fbce40c4 cri: add ability to emit deprecation warnings
  • [release/1.7] Update hcsshim tag to v0.11.4 (#​9326)
  • [release/1.7] Expose usage of deprecated features (#​9315)
    • 60d48ffea ctr: new deprecations command
    • 74a06671a plugin: record deprecation for dynamic plugins
    • fa5f3c91a server: add ability to record config deprecations
    • f7880e7f0 pull: record deprecation warning for schema 1
    • 1dd2f2c02 introspection: add support for deprecations
    • aaf000c18 api/introspection: deprecation warnings in server
    • 9b7ceee54 warning: new service for deprecations
    • b708f8bfa deprecation: new package for deprecations

Dependency Changes
  • github.com/Microsoft/hcsshim v0.11.1 -> v0.11.4
  • github.com/cenkalti/backoff/v4 v4.2.0 -> v4.2.1
  • github.com/go-logr/logr v1.2.3 -> v1.2.4
  • github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 -> v2.16.0
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 -> v0.45.0
  • go.opentelemetry.io/otel v1.14.0 -> v1.19.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 -> v1.19.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 -> v1.19.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0 -> v1.19.0
  • go.opentelemetry.io/otel/metric v0.37.0 -> v1.19.0
  • go.opentelemetry.io/otel/sdk v1.14.0 -> v1.19.0
  • go.opentelemetry.io/otel/trace v1.14.0 -> v1.19.0
  • go.opentelemetry.io/proto/otlp v0.19.0 -> v1.0.0

Previous release can be found at v1.7.8

v1.7.8: containerd 1.7.8

Compare Source

Welcome to the v1.7.8 release of containerd!

The eighth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates
  • Fix ambiguous TLS fallback (#​9299)
  • Update Go to 1.20.10 (#​9265)
  • Add a new image label on converted schema 1 images (#​9252)
  • Fix handling for missing basic auth credentials (#​9235)
  • Fix potential deadlock in create handler for containerd-shim-runc-v2 (#​9209)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Sebastiaan van Stijn
  • Derek McGowan
  • Phil Estes
  • Chen Yiyang
  • Wei Fu
  • Akihiro Suda
  • Maksym Pavlenko
  • Marat Radchenko
  • Milas Bowman
  • Qiutong Song
  • Samuel Karp
Changes
27 commits

  • [release/1.7] Prepare release notes for v1.7.8 (#​9278)
  • [release/1.7] Fix ambiguous tls fallback (#​9299)
    • 68abc543b Check scheme and host of request on push redirect
    • 35c7634e3 Avoid TLS fallback when protocol is not ambiguous
  • [release/1.7] vendor: google.golang.org/grpc v1.58.3 (#​9281)
  • [release/1.7 backport] vendor: golang.org/x/net v0.17.0 (#​9276)
  • [release/1.7] vendor: google.golang.org/grpc v1.56.3 (#​9248)
    • 26736d6e1 vendor: google.golang.org/grpc v1.56.3
    • 54a69a6e4 vendor: golang.org/x/oauth2 v0.7.0
    • ac15a7f5b vendor: google.golang.org/protobuf v1.30.0
  • [release/1.7] update to go1.20.10, test go1.21.3 (#​9265)
    • 2479c3321 [release/1.7] update to go1.20.10, test go1.21.3
    • 11f40e9d8 [release/1.7] update to go1.20.9, test go1.21.2
  • [release/1.7] Add a new image label if it is docker schema 1 (#​9252)
    • cac1bab79 Add a new image label if it is docker schema 1
  • [release/1.7] remotes: add handling for missing basic auth credentials (#​9235)
    • 6cd2cc4a8 remotes: add handling for missing basic auth credentials
  • [release/1.7 backport] containerd-shim-runc-v2: avoid potential deadlock in create handler (#​9209)
    • d0a1fedb5 *: add runc-fp as runc wrapper to inject failpoint
    • 04491240a containerd-shim-runc-v2: avoid potential deadlock in create handler
    • 6982a0df5 containerd-shim-runc-v2: remove unnecessary s.getContainer()
    • 0e2320398 Uncopypaste parsing of OCI Bundle spec file

Dependency Changes
  • golang.org/x/crypto v0.11.0 -> v0.14.0
  • golang.org/x/mod v0.9.0 -> v0.11.0
  • golang.org/x/net v0.13.0 -> v0.17.0
  • golang.org/x/oauth2 v0.4.0 -> v0.10.0
  • golang.org/x/sync v0.1.0 -> v0.3.0
  • golang.org/x/sys v0.10.0 -> v0.13.0
  • golang.org/x/term v0.10.0 -> v0.13.0
  • golang.org/x/text v0.11.0 -> v0.13.0
  • golang.org/x/tools v0.7.0 -> v0.10.0
  • google.golang.org/genproto 7f2fa6f -> 782d3b1
  • google.golang.org/genproto/googleapis/api 782d3b1 new
  • google.golang.org/genproto/googleapis/rpc 782d3b1 new
  • google.golang.org/grpc v1.53.0 -> v1.58.3
  • google.golang.org/protobuf v1.29.1 -> v1.31.0

Previous release can be found at v1.7.7

v1.7.7: containerd 1.7.7

Compare Source

Welcome to the v1.7.7 release of containerd!

The seventh patch release for containerd 1.7 contains various fixes and updates.

Notable Updates
  • Require plugins to succeed after registering readiness (#​9165)
  • Handle unexpected shim kill events (#​9132)
  • Build binaries with Go 1.21.1 (#​9167)
  • cri: Stop recommending disable_cgroup (#​9168)
  • remotes/docker: Fix MountedFrom prefixed with target repository (#​9193)
  • remotes: always try to establish tls connection when tls configured (#​9188)
  • NRI: Add support for rlimits (#​48)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Derek McGowan
  • Samuel Karp
  • Krisztian Litkey
  • Wei Fu
  • Phil Estes
  • Sebastiaan van Stijn
  • Iceber Gu
  • Mike Brown
  • Akihiro Suda
  • Paweł Gronowski
  • Steve Griffith
  • Aditya Ramani
  • Austin Vazquez
  • Danny Canter
  • James Sturtevant
  • Kern Walster
  • ZP-AlwaysWin
Changes
31 commits

  • [release/1.7] Prepare release notes for v1.7.7 (#​9194)
  • [release/1.7] Allow for images with artifacts to pull (#​9149)
    • 6ca0aebf0 Allow for images with artifacts to pull
  • [release 1.7] remotes/docker: Fix MountedFrom prefixed with target repository (#​9193)
    • 7df492a95 remotes/docker: Fix MountedFrom prefixed with target repository
  • [release/1.7] Update x/net to 0.13 (#​9134)
  • [release/1.7] remotes: always try to establish tls connection when tls configured (#​9188)
    • 7779ce64e remotes: always try to establish tls connection when tls configured
  • [release/1.7] cri: stop recommending disable_cgroup (#​9168)
    • 6013b5e03 cri: stop recommending disable_cgroup
  • [release/1.7] Require plugins to succeed after registering readiness (#​9165)
    • a83c66813 Require plugins to succeed after registering readiness
    • 171d76849 cri: call RegisterReadiness after NewCRIService
  • [release/1.7] Handle unexpected shim kill events (#​9132)
    • 3d27bc738 Handle unexpected shim kill events
  • [release/1.7] Build binaries with 1.21.1 (#​9167)
  • [release/1.7] vendor: github.com/Microsoft/hcsshim v0.11.1 (#​9127)
    • 5756f6064 [release/1.7] vendor: github.com/Microsoft/hcsshim v0.11.1
  • [release/1.7 backport] alias log package to github.com/containerd/log v0.1.0 (#​9106)
    • 09633b539 deprecate logs package, but disable linter (for transitioning)
    • cb201519f alias log package to github.com/containerd/log v0.1.0
    • a5024e6dd vendor: github.com/stretchr/testify v1.8.4
    • 7bd976af3 vendor: github.com/sirupsen/logrus v1.9.3
  • [release/1.7] remotes/docker: Add MountedFrom and Exists push status (#​9097)
    • 8cd2d33c2 [release/1.7] remotes/docker: Add MountedFrom and Exists push status
  • [release/1.7] vendor: update github.com/containerd/nri@v0.4.0 (#​9099)
    • 3ca015e55 nri: update mock plugin handlers
    • 4cd208c1f vendor: update github.com/containerd/nri@v0.4.0

Changes from containerd/log
9 commits

Changes from containerd/nri
35 commits

  • releases: update note about 0.4.0 (#​50)
    • 5f13915 releases: update note about 0.4.0
  • Add support for rlimits (#​48)
    • 5ecea04 ulimit-adjuster: add validation for hard limits
    • db3de10 test: exclude ulimit-adjuster from ginkgo
    • f0deb59 ulimit-adjuster: new sample plugin
    • d2dd708 Add support for rlimits
    • efaf36e api: add POSIXRlimit type
  • .github: add test build to CI workflow. (#​47)
    • 3f092c2 .github: add test build to CI workflow.
  • stub: pass context to plugins, pass updated resources to UpdateContainers. (#​40)
    • 01d5f14 Add a note about NRI API stability and release notes.
    • ea9976d adaptation: add UpdateContainer tests.
    • d042d24 stub: fix plugin UpdateContainerInterface.
    • f5d0f51 plugins: update plugins for stub changes.
    • b4bd301 adaptation: update tests with stub changes.
    • 9d86150 stub: pass context to plugin event handlers.
  • Updated the OCI Hook Injector README to resovle broken links to the p… (#​34)
    • 5eee915 removed link
    • c783fc7 Resolves broken podman links and adds details to help better guide people in testing.
  • Fix ParseEventMask to produce proper masks for 'pod' and 'container' shorthand event notations. (#​39)
    • da291a6 Fix ParseEventMask to produce proper masks
  • fix the NRI_PLUGIN_NAME env value when launching a pre-installed plugin (#​42)
    • 4a4cea6 fix the NRI_PLUGIN_NAME env value when launching a pre-installed plugin
    • a67478e stub: update setIdentify to ensureIdentify
  • update module name of the logger plugin (#​41)
    • 841f5ed update module name of the logger plugin
  • Add gitignore for build artifacts (#​32)
    • 8d9c64d Add gitignore for build artifacts
  • Makefile: fix 'install-*' targets. (#​38)
    • c03d1be Makefile: fix 'install-*' targets.
  • docs: add a chapter about security considerations. (#​36)
    • ab28e71 docs: add a chapter about security considerations.
  • api: initialize OCI LinuxMemory resources to empty. (#​37)
    • 2862d98 api: initialize OCI LinuxMemory resources to empty.

Dependency Changes
  • github.com/Microsoft/hcsshim v0.11.0 -> v0.11.1
  • github.com/containerd/log v0.1.0 new
  • github.com/containerd/nri v0.3.0 -> v0.4.0
  • github.com/sirupsen/logrus v1.9.0 -> v1.9.3
  • github.com/stretchr/testify v1.8.2 -> v1.8.4
  • golang.org/x/crypto v0.1.0 -> v0.11.0
  • golang.org/x/net v0.8.0 -> v0.13.0
  • golang.org/x/sys v0.7.0 -> v0.10.0
  • golang.org/x/term v0.6.0 -> v0.10.0
  • golang.org/x/text v0.8.0 -> v0.11.0

Previous release can be found at v1.7.6

Which file should I download?
  • containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
  • containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.
  • cri-containerd-<VERSION>-<OS>-<ARCH>.tar.gz: (Deprecated)
  • cri-containerd-cni-<VERSION>-<OS>-<ARCH>.tar.gz: (Deprecated)

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

…1 [security]

Signed-off-by: renovate[bot] <bot@renovateapp.com>
@renovate renovate bot requested a review from a team as a code owner December 20, 2023 11:22
@renovate renovate bot requested a review from sayboras December 20, 2023 11:22
@renovate renovate bot added kind/enhancement This would improve or streamline existing functionality. priority/release-blocker This issue will prevent the release of the next version of Cilium. renovate/stop-updating Tell Renovate to stop updating PR labels Dec 20, 2023
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✔️

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Dec 22, 2023
@sayboras sayboras merged commit abe11d0 into main Dec 22, 2023
13 checks passed
@sayboras sayboras deleted the renovate/go-github.com/containerd/containerd-vulnerability branch December 22, 2023 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement This would improve or streamline existing functionality. priority/release-blocker This issue will prevent the release of the next version of Cilium. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. renovate/stop-updating Tell Renovate to stop updating PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant