-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
drop runc-dmz solution according to overlay solution #4482
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor nit.
`runc` normally has to make a binary copy of itself when constructing a | ||
container process in order to defend against certain container runtime attacks | ||
such as CVE-2019-5736. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I forgot to document how the new overlay mode works in #4448. I'll open a separate PR for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is more of a discussion, so with the overlay change i guess memfd-bind is no longer needed? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is being discussed in #4450 (comment). Short answer: it has fewer upsides now and there is a fairly strong case for removing it.
fad48fe
to
330755c
Compare
|
||
The following build tags were used earlier, but are now obsoleted: | ||
- **runc_nodmz** (since runc v1.2.1 runc dmz binary is dropped) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Considering the amount of the changes I was wondering if this is going to be v1.3.0, but probably safe to cherrypick to v1.2.1, as dmz was experimental and opt-in)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably https://github.com/opencontainers/runc/blob/main/docs/experimental.md should be updated to reflect the history
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it makes sense to drop runc-dmz now since no one is using runc_dmz (yet). Adding a backport label.
Because we have the overlay solution, we can drop runc-dmz binary solution since it has too many limitations. Signed-off-by: lifubang <[email protected]>
330755c
to
871057d
Compare
Because we have the overlay solution, we can drop runc-dmz binary solution since it has too many limitations.
The original post is here: #4450 (comment)
Because of there are many commits about runc-dmz binary solution, so doing git revert action is very hard, let's drop these code line by line.