Skip to content

Comments

drop runc-dmz solution according to overlay solution#4482

Merged
cyphar merged 1 commit intoopencontainers:mainfrom
lifubang:drop-dmz-binary
Oct 29, 2024
Merged

drop runc-dmz solution according to overlay solution#4482
cyphar merged 1 commit intoopencontainers:mainfrom
lifubang:drop-dmz-binary

Conversation

@lifubang
Copy link
Member

@lifubang lifubang commented Oct 28, 2024

Because we have the overlay solution, we can drop runc-dmz binary solution since it has too many limitations.

The original post is here: #4450 (comment)

Because of there are many commits about runc-dmz binary solution, so doing git revert action is very hard, let's drop these code line by line.

@AkihiroSuda AkihiroSuda added this to the 1.3.0 milestone Oct 28, 2024
AkihiroSuda
AkihiroSuda reviewed Oct 28, 2024
View reviewed changes
cyphar
cyphar reviewed Oct 28, 2024
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor nit.

contrib/cmd/memfd-bind/README.md
Comment on lines +3 to +5
`runc` normally has to make a binary copy of itself when constructing a
container process in order to defend against certain container runtime attacks
such as CVE-2019-5736.
Copy link
Member

@cyphar cyphar Oct 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I forgot to document how the new overlay mode works in #4448. I'll open a separate PR for that.

Copy link

@frezbo frezbo Oct 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is more of a discussion, so with the overlay change i guess memfd-bind is no longer needed? 🤔

Copy link
Member

@cyphar cyphar Oct 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is being discussed in #4450 (comment). Short answer: it has fewer upsides now and there is a fairly strong case for removing it.

@lifubang lifubang force-pushed the drop-dmz-binary branch 4 times, most recently from fad48fe to 330755c Compare October 28, 2024 13:39
AkihiroSuda
AkihiroSuda reviewed Oct 28, 2024
View reviewed changes
README.md
| `!runc_nodmz` | Reduce memory usage for CVE-2019-5736 protection by using a small C binary, [see `memfd-bind` for more details][contrib-memfd-bind]. `runc_nodmz` disables this **experimental feature** and causes runc to use a different protection mechanism which will further increases memory usage temporarily during container startup. To enable this feature you also need to set the `RUNC_DMZ=true` environment variable. | yes ||

The following build tags were used earlier, but are now obsoleted:
- **runc_nodmz** (since runc v1.2.1 runc dmz binary is dropped)
Copy link
Member

@AkihiroSuda AkihiroSuda Oct 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Considering the amount of the changes I was wondering if this is going to be v1.3.0, but probably safe to cherrypick to v1.2.1, as dmz was experimental and opt-in)

Copy link
Member

@AkihiroSuda AkihiroSuda Oct 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably https://github.com/opencontainers/runc/blob/main/docs/experimental.md should be updated to reflect the history

Copy link
Contributor

@kolyshkin kolyshkin Oct 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to drop runc-dmz now since no one is using runc_dmz (yet). Adding a backport label.

@AkihiroSuda AkihiroSuda mentioned this pull request Oct 28, 2024
Merged
@lifubang
drop runc-dmz solution according to overlay solution
871057d 
Because we have the overlay solution, we can drop runc-dmz binary
solution since it has too many limitations.

Signed-off-by: lifubang <lifubang@acmcoder.com>
@AkihiroSuda AkihiroSuda modified the milestones: 1.3.0, 1.2.1 Oct 28, 2024
@kolyshkin kolyshkin added the backport/1.2-todo A PR in main branch which needs to be backported to release-1.2 label Oct 28, 2024
@cyphar cyphar merged commit 68bef80 into opencontainers:main Oct 29, 2024
@lifubang lifubang mentioned this pull request Oct 29, 2024
Closed
@lifubang lifubang added backport/1.2-done A PR in main branch which has been backported to release-1.2 and removed backport/1.2-todo A PR in main branch which needs to be backported to release-1.2 labels Oct 29, 2024
@lifubang lifubang deleted the drop-dmz-binary branch October 29, 2024 09:54
@lifubang lifubang mentioned this pull request Oct 29, 2024
Merged
This was referenced Oct 30, 2024
Merged
Merged
@kolyshkin kolyshkin removed this from the 1.2.1 milestone Nov 1, 2024
@kolyshkin kolyshkin mentioned this pull request Jan 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cyphar cyphar cyphar approved these changes

@kolyshkin kolyshkin kolyshkin left review comments

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

+1 more reviewer

@frezbo frezbo frezbo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/1.2-done A PR in main branch which has been backported to release-1.2 impact/changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lifubang @cyphar @kolyshkin @AkihiroSuda @frezbo