From 060769c15c9b8830ee571b02a22932493852b19364e648400240c8dfe4cb5480 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 21 Aug 2018 11:26:57 +0000 Subject: [PATCH] Accepting request 630750 from home:cyphar:containers:docker_18.06_security_bugfix - Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce upgrade. This is a potential security issue (the CRI plugin was enabled by default, which listens on a TCP port bound to 0.0.0.0) that will be fixed upstream in the 18.06.1-ce upgrade. bsc#1102522 + bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch OBS-URL: https://build.opensuse.org/request/show/630750 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=261 --- ...-18.06-disable-containerd-CRI-plugin.patch | 36 +++++++++++++++++++ docker.changes | 9 +++++ docker.spec | 4 +++ 3 files changed, 49 insertions(+) create mode 100644 bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch diff --git a/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch b/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch new file mode 100644 index 0000000..eb29911 --- /dev/null +++ b/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch @@ -0,0 +1,36 @@ +From 7ed2f5078916c4addd321d12bce49f40bf32680e Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Tue, 21 Aug 2018 19:42:53 +1000 +Subject: [PATCH] 18.06: disable containerd CRI plugin + +Docker 18.06 does not have a configuration option to disable the CRI +plugin, and this plugin is not very useful if containerd is not running +standalone. + +This patch disables the plugin if containerd is running as child-process +of dockerd. + +Signed-off-by: Sebastiaan van Stijn +Signed-off-by: Aleksa Sarai +--- + components/engine/libcontainerd/remote_daemon_linux.go | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/components/engine/libcontainerd/remote_daemon_linux.go b/components/engine/libcontainerd/remote_daemon_linux.go +index dc59eb8c14f0..34b04e299acd 100644 +--- a/components/engine/libcontainerd/remote_daemon_linux.go ++++ b/components/engine/libcontainerd/remote_daemon_linux.go +@@ -37,6 +37,10 @@ func (r *remote) setDefaults() { + if r.snapshotter == "" { + r.snapshotter = "overlay" + } ++ // Disable CRI plugin by default if containerd is managed as child-process ++ // of dockerd. See https://github.com/moby/moby/issues/37507 ++ r.DisabledPlugins = append(r.DisabledPlugins, "cri") ++ delete(r.pluginConfs.Plugins, "cri") + } + + func (r *remote) stopDaemon() { +-- +2.18.0 + diff --git a/docker.changes b/docker.changes index db8d4ea..c94cdf0 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Aug 21 09:50:01 UTC 2018 - asarai@suse.com + +- Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce + upgrade. This is a potential security issue (the CRI plugin was enabled by + default, which listens on a TCP port bound to 0.0.0.0) that will be fixed + upstream in the 18.06.1-ce upgrade. bsc#1102522 + + bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch + ------------------------------------------------------------------- Tue Aug 21 09:39:57 UTC 2018 - rbrown@suse.com diff --git a/docker.spec b/docker.spec index a0fb187..95ec63f 100644 --- a/docker.spec +++ b/docker.spec @@ -82,6 +82,8 @@ Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker- Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727 Patch402: bsc1100727-0001-build-add-buildmode-pie.patch +# SUSE-BACKPORT: Backport of https://github.com/docker/engine/pull/29. bsc#1102522 +Patch403: bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch # SUSE-FEATURE: Add support to mirror inofficial/private registries # (https://github.com/moby/moby/pull/34319) Patch500: private-registry-0001-Add-private-registry-mirror-support.patch @@ -261,6 +263,8 @@ docker container runtime configuration for kubeadm %patch401 -p1 # bsc#1100727 %patch402 -p1 +# bsc#1102522 +%patch403 -p1 %if "%flavour" == "kubic" # PATCH-SUSE: Mirror patch. %patch500 -p1