| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Fixes:
http://autobuild.buildroot.net/results/018e309caa0fc662aa2993e47b2037fb6c569011/
This toolchain uses glibc 2.18, which does not provide O_TMPFILE support.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
http://autobuild.buildroot.net/results/63e9d88ae5177541be463f1e2aafec59aa410479
Add dependency on headers >= 3.11 for O_TMPFILE, used by runc after the
fix for CVE-2019-5736 and propagate to the reverse dependencies of runc.
Notice that C library support for O_TMPFILE is also needed, which was added
in glibc 2.19 and musl 0.9.15.
Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: squash series, extend commit message, mention C library dependency,
fix indentation]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The vulnerability allows a malicious container to (with minimal user
interaction) overwrite the host runc binary and thus gain root-level
code execution on the host. The level of user interaction is being able
to run any command (it doesn't matter if the command is not
attacker-controlled) as root within a container in either of these
contexts:
* Creating a new container using an attacker-controlled image.
* Attaching (docker exec) into an existing container which the
attacker had previous write access to.
For more details, see the advisory:
https://www.openwall.com/lists/oss-security/2019/02/11/2
The fix for this issue uses fexecve(3), which isn't available on uClibc, so
add a dependency on !uclibc to runc and propagate to the reverse
dependencies (containerd/docker-engine).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, a specific commit hash from the Docker runc.installer was
used to determine the required runc version for the Docker
Engine. This old commit hash used was a untagged pre-1.0.0 release of
runc, closer to an earlier release candidate.
The runc version used in the Debian distribution is not the pinned
version previously used by Buildroot. It is the latest release
candidate. The latest release candidate is known to be compatible with
the Docker Engine, and there is no justification for pinning to an
older RC anymore.
This commit bumps to the latest RC, 1.0.0-rc6. A v1.0.0 is expected
soon.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit bumps runc to the requisite version for Docker 2018.06.
Added note about where runc version dependency is declared:
RUNC_VERSION = 69663f0bd4b60df09991c08812a60108003fa340
We take this opportunity to add the hash for the license file.
Signed-off-by: Christian Stewart <christian@paral.in>
[Thomas: add hash for license file.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 3861ce09d0acd6425873332300c6caa75863017f.
As reported on IRC, runc v1.0.0-rc4 is not compatible with the docker-engine
version we are using, so lets revert for 2017.11:
20:27 < eschu> It looks like 25 days ago buildroot had runc updated to
1.0.0-rc4, which breaks compatibility with the docker-engine
version 17.05. Is there somewhere issues like this are
reported? Or is it just expected on non-release versions of
buildroot?
20:47 < Jacmet> eschu: ahh, so the new runc doesn't work with the old
docker-engine? what kind of errors do you get exactly?
20:49 < eschu> Jacmet: yes, runc made a change from -console to
--console-socket, which results in "Incorrect Usage" error
"flag provided but not defined: -console"
20:51 < eschu> Jacmet: basically docker-engine 17.05 uses -console, but
support for that was cut off in runc around the first 1.0.0
versions. I'll check the patches out, or might just
downgrade to buildroot 2017.08 release
20:51 < agb> Jacmet: unfortunately this issue has hit a number of distributions
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877146
20:53 < Jacmet> agb: thanks. I'll send a revert for 2017.11 and hopefully
we can make progress on the other docker packages for
2018.02
Cc: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
This is a dependency of docker-engine v2017.07.0-ce.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since things are no longer installed in $(HOST_DIR)/usr, the callers
should also not refer to it.
This is a mechanical change with
git grep -l '$(HOST_DIR)/usr/bin' | xargs sed -i 's%$(HOST_DIR)/usr/bin%$(HOST_DIR)/bin%g'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
This is a runtime dependency of docker-engine in version 17.04.0-ce
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
This is a runtime dependency of docker-engine in version 17.03.1-ce
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
This is a runtime dependency of docker-engine in version 17.03.0-ce
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
Version bump as a dependency of docker-engine v1.13.1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
RunC allowed additional container processes via runc exec to be ptraced by
the pid 1 of the container. This allows the main processes of the
container, if running as root, to gain access to file-descriptors of these
new processes during the initialization and can lead to container escapes or
modification of runC state before the process is fully placed inside the
container.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
| |
commit 9101ce5800 (runc: pass -extldflags '-static' on when
BR2_STATIC_LIBS=y) contained a small copy/paste error, FLANNEL_GLDFLAGS was
used instead of RUNC_GLDFLAGS.
[Peter: refer to exact commit]
Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
| |
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
| |
Bump runc to cc29e3dded8e27ba8f65738f40d251c885030a28
This version is required by Docker Engine v1.12.0.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6ad14a368798619d67d68a3b297333c153230ae1)
|
| |
|
|
|
|
|
|
|
| |
There is no reason to link Go binaries statically, unless when
BR2_STATIC_LIBS=y.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When BR2_PACKAGE_LIBSECCOMP is set, go will try to find libseccomp
library using pkg-config. But pkg-config is not in the PATH when go
is called during the runc build.
Set the correct PATH in RUNC_MAKE_ENV.
Fixes:
http://autobuild.buildroot.net/results/fea/fea069fec671b32bffd3d133898d71d45abab552
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
| |
runc uses pkg-config to detect libseccomp, so we need to depend on it.
Fixes:
http://autobuild.buildroot.net/results/72f1cf194843b8519a3ebf213cdbf06873809055/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
| |
Fixes:
http://autobuild.buildroot.net/results/35d72aac0b0cc0ac92bf309d1a957d7903b1411a/
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
|
runC is a CLI tool for spawning and running containers according to the
OCP specification.
runC is used by the latest Docker engine versions, however, runc itself
is standalone and has no other dependencies.
https://runc.io/
Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
