I reviewed containerd 1.3.1-0ubuntu1 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
containerd is a daemon that manages the complete container lifecycle of its
host system. Containerd controls runc.
- No CVE History:
- Build-Depends
- debhelper (>= 9)
- go-md2man
- golang-go (>= 2:1.10~)
- golang-race-detector-runtime
- libbtrfs-dev | btrfs-progs (<< 4.16.1~)
- libseccomp-dev
- pkg-config
- pre/post rm and postinst scripts added automatically
- No init scripts
- systemd units
- containerd.service - add overlay module to kernel and runs
/usr/bin/containerd. Also sets some limits on number of processes,
number of cores and files.
- No dbus services
- No setuid binaries
- binaries in PATH
- /usr/bin/containerd
- /usr/bin/containerd-shim
- /usr/bin/containerd-shim-runc-v1
- /usr/bin/containerd-shim-runc-v2
- /usr/bin/containerd-stress
- /usr/bin/ctr
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- different tests are available in the source code
- imake test (run automatically during build): non-integration tests
- make root-test: non-integration tests (requires root)
- make integration: run all tests, including integration tests (requires
root)
- also autopkgtest available (basic smoke DEP8 test)
- http://autopkgtest.ubuntu.com/packages/containerd
- No cron jobs
- Build logs:
- No compilation errors or warnings.
- E: Lintian run failed (policy violation)
Lintian: fail
- Processes spawned
- in pkg/process/ it implements its own way of Exec'ing processes
- nsexec.c and cloned_binary.c: from runc, we commented about this function in
runc MIR, nothing new.
- vendor/github.com/containerd/go-runc/runc.go: Execute process inside the
container.
- Memory management
- Only in vendored code.
- File IO
- Some File IO in archive/tar*.go, looks ok.
- Other File IO are mostly done in vendored code.
- Logging
- uses logrus for logging, much like runc.
- Environment variable usage
- only in vendored code.
- Use of privileged functions
- setuid, setgid and setresuid from runc code.
- Lchown used in some places to change the uid and gid of the named file.
- No use of cryptography / random number sources etc
- Use of temp files mainly in test code.
- Use of networking
- Only found something on:
- runtime/v1/shim/client/client.go
- runtime/v2/shim/publisher.go
- cmd/containerd/command/publish.go
- client.go
- looks ok
- No use of WebKit
- No use of PolicyKit
- Coverity results
- We end up finding a possible bug, we are working with upstream to get it
investigated.
Security team ACK for promoting containerd to main.
Unassigning the Security Team.
** Changed in: containerd (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1819761
Title:
[MIR] containerd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1819761/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
