2023-03-30 09:05:13 |
Miroslav Prašil |
bug |
|
|
added bug |
2023-03-31 21:00:20 |
Lena Voytek |
nominated for series |
|
Ubuntu Kinetic |
|
2023-03-31 21:00:20 |
Lena Voytek |
bug task added |
|
runc (Ubuntu Kinetic) |
|
2023-03-31 21:00:20 |
Lena Voytek |
nominated for series |
|
Ubuntu Jammy |
|
2023-03-31 21:00:20 |
Lena Voytek |
bug task added |
|
runc (Ubuntu Jammy) |
|
2023-03-31 21:00:20 |
Lena Voytek |
nominated for series |
|
Ubuntu Lunar |
|
2023-03-31 21:00:20 |
Lena Voytek |
bug task added |
|
runc (Ubuntu Lunar) |
|
2023-04-03 16:30:19 |
Lena Voytek |
runc (Ubuntu Jammy): assignee |
|
Lena Voytek (lvoytek) |
|
2023-04-03 16:30:21 |
Lena Voytek |
runc (Ubuntu Kinetic): assignee |
|
Lena Voytek (lvoytek) |
|
2023-04-03 16:30:23 |
Lena Voytek |
runc (Ubuntu Lunar): assignee |
|
Lena Voytek (lvoytek) |
|
2023-04-03 16:30:25 |
Lena Voytek |
runc (Ubuntu Jammy): status |
New |
In Progress |
|
2023-04-03 16:30:28 |
Lena Voytek |
runc (Ubuntu Kinetic): status |
New |
In Progress |
|
2023-04-03 16:30:29 |
Lena Voytek |
runc (Ubuntu Lunar): status |
New |
In Progress |
|
2023-04-03 16:30:43 |
Lena Voytek |
tags |
|
server-todo |
|
2023-04-03 16:30:53 |
Lena Voytek |
bug |
|
|
added subscriber Ubuntu Server |
2023-04-07 02:56:30 |
Launchpad Janitor |
runc (Ubuntu Lunar): status |
In Progress |
Fix Released |
|
2023-04-12 18:01:46 |
Lena Voytek |
description |
When running nested containers, some devices might not be populated inside the host container. This leads to runc not setting proper `DeviceAllow` options for the container scope which leads to inability to use some devices inside the container. (like /dev/null)
In my specific scenario this led to issues running docker containers on top of system running as LXC container:
https://github.com/opencontainers/runc/discussions/3795
Some more details and fix in runc can be seen here:
https://github.com/opencontainers/runc/pull/3620
This was fixed in runc 1.1.5 that was released yesterday.
My specific system observing this issue is:
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Although I believe any system using runc 1.1.4 package is affected. My runc version:
# apt-cache policy runc
runc:
Installed: 1.1.4-0ubuntu1~22.04.1
Candidate: 1.1.4-0ubuntu1~22.04.1
Version table:
*** 1.1.4-0ubuntu1~22.04.1 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
[Impact]
Some /dev/ files such as /dev/null currently cannot be used in nested containers, such as docker in lxc. This is due to the files not being added to the deviceAllowList.
This fix will be included as part of the eventual backport of runc 1.1.5 in supported Ubuntu versions. However, it would be helpful to have sooner for the benefit of users using nested containers.
The issue is fixed by adding a patch containing the upstream commit https://github.com/opencontainers/runc/commit/462e719cae227a990ed793241062a8d2d6145332 which checks /sys/dev for additional /dev files to include.
[Test Plan]
Launch an lxd container
Install runc
Run a runc container that accesses /dev/null and check for the error:
error reopening /dev/null inside container: open /dev/null: operation not permitted: unknown.
This error will no longer happen with the fix in place.
[Where problems could occur]
If problems were to occur, they would likely show up in the interaction with the files provided by the /sys directory. If additional files are found, containers could have unintended access to them when they did not before.
[Original Description]
When running nested containers, some devices might not be populated inside the host container. This leads to runc not setting proper `DeviceAllow` options for the container scope which leads to inability to use some devices inside the container. (like /dev/null)
In my specific scenario this led to issues running docker containers on top of system running as LXC container:
https://github.com/opencontainers/runc/discussions/3795
Some more details and fix in runc can be seen here:
https://github.com/opencontainers/runc/pull/3620
This was fixed in runc 1.1.5 that was released yesterday.
My specific system observing this issue is:
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Although I believe any system using runc 1.1.4 package is affected. My runc version:
# apt-cache policy runc
runc:
Installed: 1.1.4-0ubuntu1~22.04.1
Candidate: 1.1.4-0ubuntu1~22.04.1
Version table:
*** 1.1.4-0ubuntu1~22.04.1 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
|
2023-04-17 20:16:20 |
Lena Voytek |
nominated for series |
|
Ubuntu Focal |
|
2023-04-17 20:16:20 |
Lena Voytek |
bug task added |
|
runc (Ubuntu Focal) |
|
2023-04-17 20:16:26 |
Lena Voytek |
runc (Ubuntu Focal): assignee |
|
Lena Voytek (lvoytek) |
|
2023-04-17 20:16:28 |
Lena Voytek |
runc (Ubuntu Focal): status |
New |
In Progress |
|
2023-04-19 16:18:11 |
Lena Voytek |
description |
[Impact]
Some /dev/ files such as /dev/null currently cannot be used in nested containers, such as docker in lxc. This is due to the files not being added to the deviceAllowList.
This fix will be included as part of the eventual backport of runc 1.1.5 in supported Ubuntu versions. However, it would be helpful to have sooner for the benefit of users using nested containers.
The issue is fixed by adding a patch containing the upstream commit https://github.com/opencontainers/runc/commit/462e719cae227a990ed793241062a8d2d6145332 which checks /sys/dev for additional /dev files to include.
[Test Plan]
Launch an lxd container
Install runc
Run a runc container that accesses /dev/null and check for the error:
error reopening /dev/null inside container: open /dev/null: operation not permitted: unknown.
This error will no longer happen with the fix in place.
[Where problems could occur]
If problems were to occur, they would likely show up in the interaction with the files provided by the /sys directory. If additional files are found, containers could have unintended access to them when they did not before.
[Original Description]
When running nested containers, some devices might not be populated inside the host container. This leads to runc not setting proper `DeviceAllow` options for the container scope which leads to inability to use some devices inside the container. (like /dev/null)
In my specific scenario this led to issues running docker containers on top of system running as LXC container:
https://github.com/opencontainers/runc/discussions/3795
Some more details and fix in runc can be seen here:
https://github.com/opencontainers/runc/pull/3620
This was fixed in runc 1.1.5 that was released yesterday.
My specific system observing this issue is:
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Although I believe any system using runc 1.1.4 package is affected. My runc version:
# apt-cache policy runc
runc:
Installed: 1.1.4-0ubuntu1~22.04.1
Candidate: 1.1.4-0ubuntu1~22.04.1
Version table:
*** 1.1.4-0ubuntu1~22.04.1 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
[Impact]
Some /dev/ files such as /dev/null currently cannot be used in nested containers, such as docker in lxc. This is due to the files not being added to the deviceAllowList.
This fix will be included as part of the eventual backport of runc 1.1.5 in supported Ubuntu versions. However, it would be helpful to have sooner for the benefit of users using nested containers.
The issue is fixed by adding a patch containing the upstream commit https://github.com/opencontainers/runc/commit/462e719cae227a990ed793241062a8d2d6145332 which checks /sys/dev for additional /dev files to include.
[Test Plan]
# lxc launch ubuntu:22.04 test-runc -c security.nesting=true -c security.privileged=true
# lxc exec test-runc bash
# apt update && apt dist-upgrade -y
# apt install docker.io runc -y
# docker pull "ubuntu:22.04"
# mkdir -p test-container/rootfs
# cd test-container
# runc spec
> Create a basic linux runc container that has systemd, sh, and docker installed, add the following to the mounts section of config.json file to connect host docker files, and mark readOnly as false for root:
{
"destination": "/var/run/docker.sock",
"type": "bind",
"source": "/var/run/docker.sock",
"options": [
"rbind",
"rw"
]
},
{
"destination": "/var/lib/docker",
"type": "bind",
"source": "/var/lib/docker",
"options": [
"rbind",
"rw"
]
},
# runc run test-container
/ # cat <<EOF > Dockerfile
FROM ubuntu:22.04
RUN apt install
EOF
/ # docker build -t test .
Before the fix this will result in:
error reopening /dev/null inside container: open /dev/null: operation not permitted: unknown.
This error will no longer happen with the fix in place, and the build will succeed.
[Where problems could occur]
If problems were to occur, they would likely show up in the interaction with the files provided by the /sys directory. If additional files are found, containers could have unintended access to them when they did not before.
[Original Description]
When running nested containers, some devices might not be populated inside the host container. This leads to runc not setting proper `DeviceAllow` options for the container scope which leads to inability to use some devices inside the container. (like /dev/null)
In my specific scenario this led to issues running docker containers on top of system running as LXC container:
https://github.com/opencontainers/runc/discussions/3795
Some more details and fix in runc can be seen here:
https://github.com/opencontainers/runc/pull/3620
This was fixed in runc 1.1.5 that was released yesterday.
My specific system observing this issue is:
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Although I believe any system using runc 1.1.4 package is affected. My runc version:
# apt-cache policy runc
runc:
Installed: 1.1.4-0ubuntu1~22.04.1
Candidate: 1.1.4-0ubuntu1~22.04.1
Version table:
*** 1.1.4-0ubuntu1~22.04.1 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
|
2023-04-19 16:19:03 |
Lena Voytek |
description |
[Impact]
Some /dev/ files such as /dev/null currently cannot be used in nested containers, such as docker in lxc. This is due to the files not being added to the deviceAllowList.
This fix will be included as part of the eventual backport of runc 1.1.5 in supported Ubuntu versions. However, it would be helpful to have sooner for the benefit of users using nested containers.
The issue is fixed by adding a patch containing the upstream commit https://github.com/opencontainers/runc/commit/462e719cae227a990ed793241062a8d2d6145332 which checks /sys/dev for additional /dev files to include.
[Test Plan]
# lxc launch ubuntu:22.04 test-runc -c security.nesting=true -c security.privileged=true
# lxc exec test-runc bash
# apt update && apt dist-upgrade -y
# apt install docker.io runc -y
# docker pull "ubuntu:22.04"
# mkdir -p test-container/rootfs
# cd test-container
# runc spec
> Create a basic linux runc container that has systemd, sh, and docker installed, add the following to the mounts section of config.json file to connect host docker files, and mark readOnly as false for root:
{
"destination": "/var/run/docker.sock",
"type": "bind",
"source": "/var/run/docker.sock",
"options": [
"rbind",
"rw"
]
},
{
"destination": "/var/lib/docker",
"type": "bind",
"source": "/var/lib/docker",
"options": [
"rbind",
"rw"
]
},
# runc run test-container
/ # cat <<EOF > Dockerfile
FROM ubuntu:22.04
RUN apt install
EOF
/ # docker build -t test .
Before the fix this will result in:
error reopening /dev/null inside container: open /dev/null: operation not permitted: unknown.
This error will no longer happen with the fix in place, and the build will succeed.
[Where problems could occur]
If problems were to occur, they would likely show up in the interaction with the files provided by the /sys directory. If additional files are found, containers could have unintended access to them when they did not before.
[Original Description]
When running nested containers, some devices might not be populated inside the host container. This leads to runc not setting proper `DeviceAllow` options for the container scope which leads to inability to use some devices inside the container. (like /dev/null)
In my specific scenario this led to issues running docker containers on top of system running as LXC container:
https://github.com/opencontainers/runc/discussions/3795
Some more details and fix in runc can be seen here:
https://github.com/opencontainers/runc/pull/3620
This was fixed in runc 1.1.5 that was released yesterday.
My specific system observing this issue is:
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Although I believe any system using runc 1.1.4 package is affected. My runc version:
# apt-cache policy runc
runc:
Installed: 1.1.4-0ubuntu1~22.04.1
Candidate: 1.1.4-0ubuntu1~22.04.1
Version table:
*** 1.1.4-0ubuntu1~22.04.1 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
[Impact]
Some /dev/ files such as /dev/null currently cannot be used in nested containers, such as docker in lxc. This is due to the files not being added to the deviceAllowList.
This fix will be included as part of the eventual backport of runc 1.1.5 in supported Ubuntu versions. However, it would be helpful to have sooner for the benefit of users using nested containers.
The issue is fixed by adding a patch containing the upstream commit https://github.com/opencontainers/runc/commit/462e719cae227a990ed793241062a8d2d6145332 which checks /sys/dev for additional /dev files to include.
[Test Plan]
# lxc launch ubuntu:22.04 test-runc -c security.nesting=true -c security.privileged=true
# lxc exec test-runc bash
# apt update && apt dist-upgrade -y
# apt install docker.io runc -y
# docker pull "ubuntu:22.04"
# mkdir -p test-container/rootfs
# cd test-container
# runc spec
> Create a basic linux runc container that has systemd, sh, and docker installed, add the following to the mounts section of config.json file to connect host docker files, and mark readOnly as false for root:
{
"destination": "/var/run/docker.sock",
"type": "bind",
"source": "/var/run/docker.sock",
"options": [
"rbind",
"rw"
]
},
{
"destination": "/var/lib/docker",
"type": "bind",
"source": "/var/lib/docker",
"options": [
"rbind",
"rw"
]
},
# runc run test-container
/ # cat <<EOF > Dockerfile
FROM ubuntu:22.04
RUN echo test > /dev/null
EOF
/ # docker build -t test .
Before the fix this will result in:
error reopening /dev/null inside container: open /dev/null: operation not permitted: unknown.
This error will no longer happen with the fix in place, and the build will succeed.
[Where problems could occur]
If problems were to occur, they would likely show up in the interaction with the files provided by the /sys directory. If additional files are found, containers could have unintended access to them when they did not before.
[Original Description]
When running nested containers, some devices might not be populated inside the host container. This leads to runc not setting proper `DeviceAllow` options for the container scope which leads to inability to use some devices inside the container. (like /dev/null)
In my specific scenario this led to issues running docker containers on top of system running as LXC container:
https://github.com/opencontainers/runc/discussions/3795
Some more details and fix in runc can be seen here:
https://github.com/opencontainers/runc/pull/3620
This was fixed in runc 1.1.5 that was released yesterday.
My specific system observing this issue is:
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Although I believe any system using runc 1.1.4 package is affected. My runc version:
# apt-cache policy runc
runc:
Installed: 1.1.4-0ubuntu1~22.04.1
Candidate: 1.1.4-0ubuntu1~22.04.1
Version table:
*** 1.1.4-0ubuntu1~22.04.1 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
|
2023-04-19 16:20:14 |
Lena Voytek |
description |
[Impact]
Some /dev/ files such as /dev/null currently cannot be used in nested containers, such as docker in lxc. This is due to the files not being added to the deviceAllowList.
This fix will be included as part of the eventual backport of runc 1.1.5 in supported Ubuntu versions. However, it would be helpful to have sooner for the benefit of users using nested containers.
The issue is fixed by adding a patch containing the upstream commit https://github.com/opencontainers/runc/commit/462e719cae227a990ed793241062a8d2d6145332 which checks /sys/dev for additional /dev files to include.
[Test Plan]
# lxc launch ubuntu:22.04 test-runc -c security.nesting=true -c security.privileged=true
# lxc exec test-runc bash
# apt update && apt dist-upgrade -y
# apt install docker.io runc -y
# docker pull "ubuntu:22.04"
# mkdir -p test-container/rootfs
# cd test-container
# runc spec
> Create a basic linux runc container that has systemd, sh, and docker installed, add the following to the mounts section of config.json file to connect host docker files, and mark readOnly as false for root:
{
"destination": "/var/run/docker.sock",
"type": "bind",
"source": "/var/run/docker.sock",
"options": [
"rbind",
"rw"
]
},
{
"destination": "/var/lib/docker",
"type": "bind",
"source": "/var/lib/docker",
"options": [
"rbind",
"rw"
]
},
# runc run test-container
/ # cat <<EOF > Dockerfile
FROM ubuntu:22.04
RUN echo test > /dev/null
EOF
/ # docker build -t test .
Before the fix this will result in:
error reopening /dev/null inside container: open /dev/null: operation not permitted: unknown.
This error will no longer happen with the fix in place, and the build will succeed.
[Where problems could occur]
If problems were to occur, they would likely show up in the interaction with the files provided by the /sys directory. If additional files are found, containers could have unintended access to them when they did not before.
[Original Description]
When running nested containers, some devices might not be populated inside the host container. This leads to runc not setting proper `DeviceAllow` options for the container scope which leads to inability to use some devices inside the container. (like /dev/null)
In my specific scenario this led to issues running docker containers on top of system running as LXC container:
https://github.com/opencontainers/runc/discussions/3795
Some more details and fix in runc can be seen here:
https://github.com/opencontainers/runc/pull/3620
This was fixed in runc 1.1.5 that was released yesterday.
My specific system observing this issue is:
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Although I believe any system using runc 1.1.4 package is affected. My runc version:
# apt-cache policy runc
runc:
Installed: 1.1.4-0ubuntu1~22.04.1
Candidate: 1.1.4-0ubuntu1~22.04.1
Version table:
*** 1.1.4-0ubuntu1~22.04.1 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
[Impact]
Some /dev/ files such as /dev/null currently cannot be used in nested containers, such as docker in a custom runc container. This is due to the files not being added to the deviceAllowList.
This fix will be included as part of the eventual backport of runc 1.1.5 in supported Ubuntu versions. However, it would be helpful to have sooner for the benefit of users using nested containers.
The issue is fixed by adding a patch containing the upstream commit https://github.com/opencontainers/runc/commit/462e719cae227a990ed793241062a8d2d6145332 which checks /sys/dev for additional /dev files to include.
[Test Plan]
# lxc launch ubuntu:22.04 test-runc -c security.nesting=true -c security.privileged=true
# lxc exec test-runc bash
# apt update && apt dist-upgrade -y
# apt install docker.io runc -y
# docker pull "ubuntu:22.04"
# mkdir -p test-container/rootfs
# cd test-container
# runc spec
> Create a basic linux runc container that has systemd, sh, and docker installed, add the following to the mounts section of config.json file to connect host docker files, and mark readOnly as false for root:
{
"destination": "/var/run/docker.sock",
"type": "bind",
"source": "/var/run/docker.sock",
"options": [
"rbind",
"rw"
]
},
{
"destination": "/var/lib/docker",
"type": "bind",
"source": "/var/lib/docker",
"options": [
"rbind",
"rw"
]
},
# runc run test-container
/ # cat <<EOF > Dockerfile
FROM ubuntu:22.04
RUN echo test > /dev/null
EOF
/ # docker build -t test .
Before the fix this will result in:
error reopening /dev/null inside container: open /dev/null: operation not permitted: unknown.
This error will no longer happen with the fix in place, and the build will succeed.
[Where problems could occur]
If problems were to occur, they would likely show up in the interaction with the files provided by the /sys directory. If additional files are found, containers could have unintended access to them when they did not before.
[Original Description]
When running nested containers, some devices might not be populated inside the host container. This leads to runc not setting proper `DeviceAllow` options for the container scope which leads to inability to use some devices inside the container. (like /dev/null)
In my specific scenario this led to issues running docker containers on top of system running as LXC container:
https://github.com/opencontainers/runc/discussions/3795
Some more details and fix in runc can be seen here:
https://github.com/opencontainers/runc/pull/3620
This was fixed in runc 1.1.5 that was released yesterday.
My specific system observing this issue is:
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Although I believe any system using runc 1.1.4 package is affected. My runc version:
# apt-cache policy runc
runc:
Installed: 1.1.4-0ubuntu1~22.04.1
Candidate: 1.1.4-0ubuntu1~22.04.1
Version table:
*** 1.1.4-0ubuntu1~22.04.1 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.0-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages |
|
2023-04-21 20:24:35 |
Steve Langasek |
runc (Ubuntu Kinetic): status |
In Progress |
Fix Committed |
|
2023-04-21 20:24:36 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-04-21 20:24:45 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2023-04-21 20:24:53 |
Steve Langasek |
tags |
server-todo |
server-todo verification-needed verification-needed-kinetic |
|
2023-04-21 20:26:00 |
Steve Langasek |
runc (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2023-04-21 20:26:05 |
Steve Langasek |
tags |
server-todo verification-needed verification-needed-kinetic |
server-todo verification-needed verification-needed-jammy verification-needed-kinetic |
|
2023-04-21 20:26:38 |
Steve Langasek |
runc (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2023-04-21 20:26:42 |
Steve Langasek |
tags |
server-todo verification-needed verification-needed-jammy verification-needed-kinetic |
server-todo verification-needed verification-needed-focal verification-needed-jammy verification-needed-kinetic |
|
2023-04-21 22:26:32 |
Lena Voytek |
tags |
server-todo verification-needed verification-needed-focal verification-needed-jammy verification-needed-kinetic |
server-todo verification-done verification-done-focal verification-done-jammy verification-done-kinetic |
|
2023-05-10 13:00:57 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-05-10 13:00:56 |
Launchpad Janitor |
runc (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
2023-05-10 13:01:03 |
Launchpad Janitor |
runc (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-05-10 13:01:06 |
Launchpad Janitor |
runc (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|