Please upgrade docker.io to latest 1.12.6

Bug #1655906 reported by Jon Grimm on 2017-01-12
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
containerd (Ubuntu)
Undecided
Michael Hudson-Doyle
Nominated for Trusty by Jon Grimm
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
docker.io (Ubuntu)
High
Stéphane Graber
Nominated for Trusty by Jon Grimm
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
runc (Ubuntu)
Undecided
Michael Hudson-Doyle
Nominated for Trusty by Jon Grimm
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

[Impact]
A number of critical and performance bug fixes since 1.12.4. Please upgrade and SRU in newer docker (1.12.6).

[Test Case]
See https://wiki.ubuntu.com/DockerUpdates

[Regression potential]
See above. I will test by hand that s390x actually works this time though.

CVE References

Jon Grimm (jgrimm) on 2017-01-12
Changed in docker.io (Ubuntu):
status: New → Triaged
importance: Undecided → High
Michael Hudson-Doyle (mwhudson) wrote :

Tianon is working on this I understand. Assign to me (or just poke on IRC) when ready for upload?

Changed in docker.io (Ubuntu):
assignee: nobody → Tianon Gravi (tianon)
status: Triaged → In Progress
Tianon Gravi (tianon) on 2017-01-12
Changed in runc (Ubuntu):
assignee: nobody → Tianon Gravi (tianon)
status: New → In Progress
Tianon Gravi (tianon) on 2017-01-12
Changed in docker.io (Ubuntu):
assignee: Tianon Gravi (tianon) → nobody
assignee: nobody → Tianon Gravi (tianon)
Changed in docker.io (Ubuntu):
assignee: Tianon Gravi (tianon) → Michael Hudson-Doyle (mwhudson)
Changed in runc (Ubuntu):
assignee: Tianon Gravi (tianon) → Michael Hudson-Doyle (mwhudson)
Tianon Gravi (tianon) wrote :

Looks like LP doesn't want me to assign mwhudson. :) (only myself or one of my teams)

So, uh, these are all pushed in Git, ready for review/sponsorship (I've pushed builds to the PPA and tested in zesty successfully).

Changed in containerd (Ubuntu):
status: New → In Progress
assignee: nobody → Tianon Gravi (tianon)
Michael Hudson-Doyle (mwhudson) wrote :

And all uploaded and building now.

Changed in containerd (Ubuntu):
assignee: Tianon Gravi (tianon) → Michael Hudson-Doyle (mwhudson)
Michael Hudson-Doyle (mwhudson) wrote :

It looks like upstream broke docker in containers again, the autopkgtests fail with:

container_linux.go:247: starting container process caused "process_linux.go:252: getting pipe fds for pid 3779 caused \"readlink /proc/3779/fd/0: permission denied\""

Michael Hudson-Doyle (mwhudson) wrote :

This turns out to be caused by the fix for cve-2016-9962, if that patch is reverted the test passes.

Changed in docker.io (Ubuntu):
assignee: Michael Hudson-Doyle (mwhudson) → Stéphane Graber (stgraber)
Christian Brauner (cbrauner) wrote :

Oh, that seems to be the fix for the CVE I made Aleksa Sarai aware of that Roman Fiedler discovered (http://www.openwall.com/lists/oss-security/2016/11/23/6, https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1639345). I didn't know that it was filed.

Anyway, I'll take a look.

Christian Brauner (cbrauner) wrote :

Right, afaict this is caused by https://github.com/opencontainers/runc/commit/5d93fed3d27f1e2bab58bad13b180a7a81d0b378 . Marking the process as undumpable requires that the caller has CAP_SYS_PTRACE in the target process user namespace. If not, then any file-opening operations on /proc/<pid>/<file> (e.g. readlink()) will be denied. This is exactly what getPipeFds() is trying to do. This leads to the error you see above. There's another PR floating around that will complicate things even when CAP_SYS_PTRACE is available (https://github.com/opencontainers/runc/pull/1274). But I need to take a closer look.

Christian Brauner (cbrauner) wrote :

Well, the thing is that with the CVE patch applied, all kinds of things won't work running Docker in an unprivileged container. So even if we worked around the getPipeFds() issue, we'd still fail e.g. at setting oom-score adjust because it also tries to access files under /proc/<pid>. I think we will have to discuss an alternate approach with upstream. Until such time, a workaround is to set

lxc config set <container_name> security.privileged true

Would that be acceptable?

Stéphane Graber (stgraber) wrote :

Nope, our story is specifically about running Docker inside unprivileged containers.

Anyway, based on IRC discussion it looks like we have a way forward with this.

Christian Brauner (cbrauner) wrote :

There is an upstream kernel fix for this:

https://lists.linuxfoundation.org/pipermail/containers/2017-January/037759.html

Until this is merged and then backported, I appended a workaround whereby runC's init process will only set itself undumpable when it is not running in a user namespace.

The attachment "0001-nsexec-make-runC-Docker-work-in-unpriv-LXD.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package runc - 1.0.0~rc2-0ubuntu2

---------------
runc (1.0.0~rc2-0ubuntu2) zesty; urgency=medium

  * Add d/patches/0001-nsexec-make-runC-Docker-work-in-unpriv-LXD.patch to fix
    execution in unprivileged containers.

 -- Michael Hudson-Doyle <email address hidden> Thu, 26 Jan 2017 09:03:23 +1300

Changed in runc (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package containerd - 0.2.5-0ubuntu1

---------------
containerd (0.2.5-0ubuntu1) zesty; urgency=medium

  * Update to 0.2.5 upstream release (LP: #1655906)

 -- Tianon Gravi <email address hidden> Fri, 13 Jan 2017 12:08:00 +1300

Changed in containerd (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package docker.io - 1.12.6-0ubuntu1

---------------
docker.io (1.12.6-0ubuntu1) zesty; urgency=medium

  * Update to 1.12.6 upstream release (LP: #1655906)
    - add a few new privileged tests to "skip-privileged-unit-tests.patch"
  * Adjust runc Depends to ensure fix for CVE-2016-9962 is included

 -- Tianon Gravi <email address hidden> Fri, 13 Jan 2017 11:57:24 +1300

Changed in docker.io (Ubuntu):
status: In Progress → Fix Released
description: updated
description: updated

Hello Jon, or anyone else affected,

Accepted docker.io into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/1.12.6-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in docker.io (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed
Chris Halse Rogers (raof) wrote :

Hello Jon, or anyone else affected,

Accepted docker.io into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/1.12.6-0ubuntu1~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in docker.io (Ubuntu Yakkety):
status: New → Fix Committed
Changed in runc (Ubuntu Xenial):
status: New → Fix Committed
Chris Halse Rogers (raof) wrote :

Hello Jon, or anyone else affected,

Accepted runc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc2-0ubuntu2~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Chris Halse Rogers (raof) wrote :

Hello Jon, or anyone else affected,

Accepted runc into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc2-0ubuntu2~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in runc (Ubuntu Yakkety):
status: New → Fix Committed
Chris Halse Rogers (raof) wrote :

Hello Jon, or anyone else affected,

Accepted containerd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/containerd/0.2.5-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in containerd (Ubuntu Xenial):
status: New → Fix Committed
Chris Halse Rogers (raof) wrote :

Hello Jon, or anyone else affected,

Accepted containerd into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/containerd/0.2.5-0ubuntu1~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in containerd (Ubuntu Yakkety):
status: New → Fix Committed
Steve Langasek (vorlon) wrote :

I checked with Michael, and the manual verification of docker.io on s390x has been completed. Marking this verification-done and releasing.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package docker.io - 1.12.6-0ubuntu1~16.04.1

---------------
docker.io (1.12.6-0ubuntu1~16.04.1) xenial; urgency=medium

  * Backport to Xenial. (LP: #1655906)
  * d/control: Remove version from Build-Depends on dh-golang, only
    required in Debian.
  * Install the service file with .install again, fixing service activation
    on install.

 -- Michael Hudson-Doyle <email address hidden> Mon, 30 Jan 2017 12:01:03 +1300

Changed in docker.io (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for docker.io has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package runc - 1.0.0~rc2-0ubuntu2~16.04.1

---------------
runc (1.0.0~rc2-0ubuntu2~16.04.1) xenial; urgency=medium

  * Backport to Xenial. (LP: #1655906)

 -- Michael Hudson-Doyle <email address hidden> Mon, 30 Jan 2017 11:57:49 +1300

Changed in runc (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package docker.io - 1.12.6-0ubuntu1~16.10.1

---------------
docker.io (1.12.6-0ubuntu1~16.10.1) yakkety; urgency=medium

  * Backport to Yakkety. (LP: #1655906)

 -- Michael Hudson-Doyle <email address hidden> Mon, 30 Jan 2017 12:02:23 +1300

Changed in docker.io (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package runc - 1.0.0~rc2-0ubuntu2~16.10.1

---------------
runc (1.0.0~rc2-0ubuntu2~16.10.1) yakkety; urgency=medium

  * Backport to Yakkety. (LP: #1655906)

 -- Michael Hudson-Doyle <email address hidden> Mon, 30 Jan 2017 12:02:46 +1300

Changed in runc (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package containerd - 0.2.5-0ubuntu1~16.10.1

---------------
containerd (0.2.5-0ubuntu1~16.10.1) yakkety; urgency=medium

  * Backport to Yakkety. (LP: #1655906)

 -- Michael Hudson-Doyle <email address hidden> Mon, 30 Jan 2017 12:00:15 +1300

Changed in containerd (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package containerd - 0.2.5-0ubuntu1~16.04.1

---------------
containerd (0.2.5-0ubuntu1~16.04.1) xenial; urgency=medium

  * Backport to Xenial. (LP: #1655906)

 -- Michael Hudson-Doyle <email address hidden> Mon, 30 Jan 2017 11:59:52 +1300

Changed in containerd (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers