docker/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch
Aleksa Sarai 060769c15c Accepting request 630750 from home:cyphar:containers:docker_18.06_security_bugfix
- Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce
  upgrade. This is a potential security issue (the CRI plugin was enabled by
  default, which listens on a TCP port bound to 0.0.0.0) that will be fixed
  upstream in the 18.06.1-ce upgrade. bsc#1102522
  + bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch

OBS-URL: https://build.opensuse.org/request/show/630750
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=261
2018-08-21 11:26:57 +00:00

37 lines
1.3 KiB
Diff

From 7ed2f5078916c4addd321d12bce49f40bf32680e Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Tue, 21 Aug 2018 19:42:53 +1000
Subject: [PATCH] 18.06: disable containerd CRI plugin
Docker 18.06 does not have a configuration option to disable the CRI
plugin, and this plugin is not very useful if containerd is not running
standalone.
This patch disables the plugin if containerd is running as child-process
of dockerd.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/libcontainerd/remote_daemon_linux.go | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/components/engine/libcontainerd/remote_daemon_linux.go b/components/engine/libcontainerd/remote_daemon_linux.go
index dc59eb8c14f0..34b04e299acd 100644
--- a/components/engine/libcontainerd/remote_daemon_linux.go
+++ b/components/engine/libcontainerd/remote_daemon_linux.go
@@ -37,6 +37,10 @@ func (r *remote) setDefaults() {
if r.snapshotter == "" {
r.snapshotter = "overlay"
}
+ // Disable CRI plugin by default if containerd is managed as child-process
+ // of dockerd. See https://github.com/moby/moby/issues/37507
+ r.DisabledPlugins = append(r.DisabledPlugins, "cri")
+ delete(r.pluginConfs.Plugins, "cri")
}
func (r *remote) stopDaemon() {
--
2.18.0