Skip to content

Comments

Dockerfile: update runc binary to 1.2.1#5443

Merged
tonistiigi merged 1 commit intomoby:masterfrom
AkihiroSuda:runc-1.2.0
Nov 4, 2024
Merged

Dockerfile: update runc binary to 1.2.1#5443
tonistiigi merged 1 commit intomoby:masterfrom
AkihiroSuda:runc-1.2.0

Conversation

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Oct 22, 2024
edited
Loading

@thompson-shaun thompson-shaun added the area/dependencies Pull requests that update a dependency file label Oct 22, 2024
@tonistiigi
Copy link
Member

tonistiigi commented Oct 22, 2024

This seems to be more complicated. See #5157

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Oct 28, 2024

This seems to be more complicated. See #5157

The dmz stuff is opt-in and is likely going to be removed in v1.2.1

@tonistiigi
Copy link
Member

tonistiigi commented Oct 28, 2024
edited
Loading

Is there a writeup for the dmz/overlay/vanilla solutions? What do they mean and what is the difference security and performance wise? The PR adding dmz to Moby seems to still be open.

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Oct 28, 2024

Is there a writeup for the dmz/overlay/vanilla solutions? What do they mean and what is the difference security and performance wise?

Some benchmark results are available in
opencontainers/runc@515f09f

@cyphar
Copy link
Contributor

cyphar commented Oct 29, 2024

The tl;dr is that overlay has almost no overhead (1-2% on startup time compared to no protection applied to /proc/self/exe at all, and >70% faster than memfd). The only downside is that it doesn't work for rootless containers (the container runtime needs privileges to do fsopen(2)) but runc-dmz had a bunch of limitations that meant you couldn't practically use it for most containers (which is why we made it opt-in, and now that we have overlay the need for it is greatly diminished).

Security-wise, all of the options provide the same level of protection in practice (except for the pre-1.2 bindfds, which were not really secure). In theory a DirtyCow-like attack would be able to overwrite the binary with overlay but not memfd, however such an attack would allow you to attack the host in other ways (as evidenced by the actual DirtyCow attacks) so the benefits far outweigh this theoretical downside that relies on a different (more severe) future kernel bug.

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Oct 29, 2024

The only downside is that it doesn't work for rootless containers (the container runtime needs privileges to do fsopen(2))

Rootless BuildKit (as well as Docker, contained, etc.) executes runc in an existing UserNS, so it should just work?

@cyphar
Copy link
Contributor

cyphar commented Oct 29, 2024

Yeah that should work fine on >=5.11 kernels when overlayfs was enabled inside user namespaces.

@github-actions github-actions bot removed the area/dependencies Pull requests that update a dependency file label Nov 1, 2024
@AkihiroSuda AkihiroSuda changed the title Dockerfile: update runc binary to 1.2.0 Dockerfile: update runc binary to 1.2.1 Nov 1, 2024
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Nov 1, 2024

Updated for v1.2.1

@tonistiigi tonistiigi merged commit 6292af7 into moby:master Nov 4, 2024
@samiam samiam mentioned this pull request Nov 7, 2024
Closed
This was referenced Nov 9, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees

No one assigned

Labels

area/project

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AkihiroSuda @tonistiigi @cyphar @thompson-shaun