Thanks for the response! Yea, you are right about the runc and docker versions. I made a mistake in the way I interpreted this PR to docker ( https://github.com/docker/engine/commit/cbe11bdc6da871bdce0993fddb4ff8a29c476a63) and was just looking at the commit date and assumed the version bump.
Looking that the reference git sha that we bumped it appears like it wasn't a runc version bump but it just applied some patches. Since moving to docker 18.09 appears to be off limits. Is it possible to only override the runc version without also upgrading docker? On Mon, May 20, 2019 at 2:27 PM David Michael <[email protected]> wrote: > On Mon, May 20, 2019 at 2:14 PM Ron Gutierrez <[email protected]> wrote: > > Hi, > > > > We need to run an upgraded version of runc to pickup a bug fix related > to a race condition that occurs under heavy load. This bug fix was included > in the runc 1.0-rc7 release. This release also contained the runc > vulnerability patch (CVE-2019-5736). We were hoping that by upgrading to > the latest stable we would receive a runc bump along with the Docker > version bump to 18.06.3 but it doesn't look like that is the case. It looks > like the runc used by CoreOS is a self packaged version and you applied the > CVE patch without also doing a version bump. > > > > Are there any short term plans to bump the runc version to >= 1.0-rc7? > > No, see https://github.com/coreos/coreos-overlay/pull/3477 . > > > Is there a way for us to easily override the runc package on our CoreOS > builds? > > You can create your own Docker torcx image based on that PR and use > the versions you want. I don't know of issues with runc > specifiically, but updating in general beyond 18.06 causes random > segfaults (mostly with resource limiting flags). > > > If so, would this be relatively safe or are there known issues with that > version of runc and that is why a version bump wasn't done for the > CVE-2019-5736 patch? > > There was a version bump to 18.06.3 for the CVE. The Container Linux > runc version always matches the one shipped with the Docker version. > > Thanks. > > David > > -- > You received this message because you are subscribed to the Google Groups > "CoreOS Dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/coreos-dev/CA%2BsZQ%2BnAAc9MDax44BXa3%2BYEyNdpw%3DE1aRKsHoG-Ax%2B0AuLBgg%40mail.gmail.com > . > -- *Ron Gutierrez* -- You received this message because you are subscribed to the Google Groups "CoreOS Dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/coreos-dev/CAC4mVV64AuHXd4GxcWc8EarC-M_r682vivx-Txvdrg7MRCh9sA%40mail.gmail.com.
