-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
drop runc-dmz solution according to overlay solution #4482
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,7 +7,6 @@ | |
run: | ||
build-tags: | ||
- seccomp | ||
- runc_nodmz | ||
|
||
linters: | ||
disable-all: true | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,6 @@ | |
run: | ||
build-tags: | ||
- seccomp | ||
- runc_nodmz | ||
|
||
linters: | ||
enable: | ||
|
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,8 @@ | ||
## memfd-bind ## | ||
|
||
`runc` normally has to make a binary copy of itself (or of a smaller helper | ||
binary called `runc-dmz`) when constructing a container process in order to | ||
defend against certain container runtime attacks such as CVE-2019-5736. | ||
`runc` normally has to make a binary copy of itself when constructing a | ||
container process in order to defend against certain container runtime attacks | ||
such as CVE-2019-5736. | ||
Comment on lines
+3
to
+5
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, I forgot to document how the new overlay mode works in #4448. I'll open a separate PR for that. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this is more of a discussion, so with the overlay change i guess memfd-bind is no longer needed? 🤔 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is being discussed in #4450 (comment). Short answer: it has fewer upsides now and there is a fairly strong case for removing it. |
||
|
||
This cloned binary only exists until the container process starts (this means | ||
for `runc run` and `runc exec`, it only exists for a few hundred milliseconds | ||
|
@@ -34,15 +34,6 @@ much memory usage they can use: | |
* `memfd-bind` only creates a single in-memory copy of the `runc` binary (about | ||
10MB), regardless of how many containers are running. | ||
|
||
* `runc-dmz` is (depending on which libc it was compiled with) between 10kB and | ||
1MB in size, and a copy is created once per process spawned inside a | ||
container by runc (both the pid1 and every `runc exec`). The `RUNC_DMZ=true` | ||
environment variable needs to be set to opt-in. There are circumstances where | ||
using `runc-dmz` will fail in ways that runc cannot predict ahead of time (such | ||
as restrictive LSMs applied to containers). `runc-dmz` also requires an | ||
additional `execve` over the other options, though since the binary is so small | ||
the cost is probably not even noticeable. | ||
|
||
* The classic method of making a copy of the entire `runc` binary during | ||
container process setup takes up about 10MB per process spawned inside the | ||
container by runc (both pid1 and `runc exec`). | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Considering the amount of the changes I was wondering if this is going to be v1.3.0, but probably safe to cherrypick to v1.2.1, as dmz was experimental and opt-in)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably https://github.com/opencontainers/runc/blob/main/docs/experimental.md should be updated to reflect the history
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it makes sense to drop runc-dmz now since no one is using runc_dmz (yet). Adding a backport label.