This includes a patch on top of containerd 1.2.1 to handle fifo
timeouts.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit e5d9d721626958a37dccfa0b234d9fc96d8c2bfb)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Upstream-commit: d161dfe1a36929a03ee3dfa916d296abfd4ccef1
Component: engine
go1.10.6 (released 2018/12/14)
- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230
See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 8afe9f422dc0183ce48e1db09189ccbde634080a
Component: engine
[18.09 backport] fixes display text in Multiple IDs found with provided prefix
Upstream-commit: a8572d3e8e1e3f738d6e9bc3bf0f137d64bab616
Component: engine
This avoids the corner case where `via` is not nil, but has a length of 0,
so the updated code does not panic in that situation.
Signed-off-by: Iskander Sharipov <quasilyte@gmail.com>
(cherry picked from commit a5c185b99404ea3fbab47ff9d7ba143392566bc1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 3482a3b14a6414977bd9860c513abf06dedd6bf7
Component: engine
This updates the swarmkit vendoring to the latest version in the bump_v18.09
branch
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: ad7105260f3c2ff32a375ff78dce9a96e01d87cb
Component: engine
go1.10.5 (released 2018/11/02) includes fixes to the go command, linker,
runtime and the database/sql package. See the milestone on the issue
tracker for details:
List of changes; https://github.com/golang/go/issues?q=milestone%3AGo1.10.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 00ad8e7c5730f3c50ae2e548b47d1340202f72b2
Component: engine
@sw-pschmied originally post this in #38285
While looking through the Moby source code was found /proc/asound to be
shared with containers as read-only (as defined in
https://github.com/moby/moby/blob/master/oci/defaults.go#L128).
This can lead to two information leaks.
---
**Leak of media playback status of the host**
Steps to reproduce the issue:
- Listen to music/Play a YouTube video/Do anything else that involves
sound output
- Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
/proc/asound/card*/pcm*p/sub*/status | grep state | cut -d ' ' -f2 |
grep RUNNING || echo 'not running'"
- See that the containerized process is able to check whether someone
on the host is playing music as it prints RUNNING
- Stop the music output
- Execute the command again (The sleep is delaying the output because
information regarding playback status isn't propagated instantly)
- See that it outputs not running
**Describe the results you received:**
A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.
The description above is in regard to media playback - when examining
`/proc/asound/card*/pcm*c/sub*/status` (`pcm*c` instead of `pcm*p`) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.
Signed-off-by: Jonathan A. Schweder <jonathanschweder@gmail.com>
(cherry picked from commit 64e52ff3dbdb31adc0a9930b3ea74b04b0df8d86)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 5fffdb32261145b1178f571e25fbd71572769d58
Component: engine
Signed-off-by: John Howard <jhoward@microsoft.com>
(cherry picked from commit 14c8b67e51a8340284dfd8919843ce9edd1e5c71)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 9c93de59da8eaa0e0e0377578a33b465b9465bb2
Component: engine
This is to keep the UX consistent. `unused-for` is still accepted and a synonym.
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 369da264bac15769ae944cc880e66abaf158612b)
Upstream-commit: 0b2d88d328ca88c8732dc11c72873b53be3bd2f8
Component: engine
