Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dockerfile: update runc binary to 1.2.1 #5443

Merged
merged 1 commit into from
Nov 4, 2024
Merged

Dockerfile: update runc binary to 1.2.1 #5443

merged 1 commit into from
Nov 4, 2024

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Oct 22, 2024
edited
Loading

@thompson-shaun thompson-shaun added the area/dependencies Pull requests that update a dependency file label Oct 22, 2024
@tonistiigi
Copy link
Member

This seems to be more complicated. See #5157

@AkihiroSuda
Copy link
Member Author

This seems to be more complicated. See #5157

The dmz stuff is opt-in and is likely going to be removed in v1.2.1

@tonistiigi
Copy link
Member

tonistiigi commented Oct 28, 2024
edited
Loading

Is there a writeup for the dmz/overlay/vanilla solutions? What do they mean and what is the difference security and performance wise? The PR adding dmz to Moby seems to still be open.

@AkihiroSuda
Copy link
Member Author

Is there a writeup for the dmz/overlay/vanilla solutions? What do they mean and what is the difference security and performance wise?

Some benchmark results are available in
opencontainers/runc@515f09f

@cyphar
Copy link
Contributor

cyphar commented Oct 29, 2024

The tl;dr is that overlay has almost no overhead (1-2% on startup time compared to no protection applied to /proc/self/exe at all, and >70% faster than memfd). The only downside is that it doesn't work for rootless containers (the container runtime needs privileges to do fsopen(2)) but runc-dmz had a bunch of limitations that meant you couldn't practically use it for most containers (which is why we made it opt-in, and now that we have overlay the need for it is greatly diminished).

Security-wise, all of the options provide the same level of protection in practice (except for the pre-1.2 bindfds, which were not really secure). In theory a DirtyCow-like attack would be able to overwrite the binary with overlay but not memfd, however such an attack would allow you to attack the host in other ways (as evidenced by the actual DirtyCow attacks) so the benefits far outweigh this theoretical downside that relies on a different (more severe) future kernel bug.

@AkihiroSuda
Copy link
Member Author

The only downside is that it doesn't work for rootless containers (the container runtime needs privileges to do fsopen(2))

Rootless BuildKit (as well as Docker, contained, etc.) executes runc in an existing UserNS, so it should just work?

@cyphar
Copy link
Contributor

cyphar commented Oct 29, 2024

Yeah that should work fine on >=5.11 kernels when overlayfs was enabled inside user namespaces.

@github-actions github-actions bot removed the area/dependencies Pull requests that update a dependency file label Nov 1, 2024
@AkihiroSuda AkihiroSuda changed the title Dockerfile: update runc binary to 1.2.0 Dockerfile: update runc binary to 1.2.1 Nov 1, 2024
@AkihiroSuda
Copy link
Member Author

Updated for v1.2.1

@tonistiigi tonistiigi merged commit 6292af7 into moby:master Nov 4, 2024
91 checks passed
@samiam samiam mentioned this pull request Nov 7, 2024
Closed
This was referenced Nov 9, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
area/project
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@AkihiroSuda @tonistiigi @cyphar @thompson-shaun