Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.10] Revert "seccomp: block socket calls to AF_VSOCK in default profile" #44712

Merged
merged 1 commit into from Dec 29, 2022
Merged

[20.10] Revert "seccomp: block socket calls to AF_VSOCK in default profile" #44712

merged 1 commit into from Dec 29, 2022

Conversation

neersighted
Copy link
Member

@neersighted neersighted commented Dec 29, 2022
edited

As discussed in last week's maintainer call. Closes #44670.

This reverts commit 57b2290.

This change, while favorable from a security standpoint, caused a
regression for users of the 20.10 branch of Moby. As such, we are
reverting it to ensure stability and compatibility for the affected
users.

However, users of AF_VSOCK in containers should recognize that this
(special) address family is not currently namespaced in any version of
the Linux kernel, and may result in unexpected behavior, like VMs
communicating directly with host hypervisors.

Future branches, including the 23.0 branch, will continue to filter
AF_VSOCK. Users who need to allow containers to communicate over the
unnamespaced AF_VSOCK will need to turn off seccomp confinement or set a
custom seccomp profile.

It is our hope that future mechanisms will make this more
ergonomic/maintainable for end users, and that future kernels will
support namespacing of AF_VSOCK.

@thaJeztah thaJeztah added this to the 20.10.23 milestone Dec 29, 2022
@thaJeztah
Copy link
Member

Still no idea why we sometimes run into this; for some reason it tries to use device mapper in a test in a situation where it's not supported?

 === FAIL: daemon/graphdriver/devmapper TestDevmapperIncreaseLoopBackSize (0.20s)
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=error msg="Udev sync is not supported. This will lead to data loss and unexpected behavior. Install a more recent version of libdevmapper or select a different storage driver. For more information, see https://docs.docker.com/engine/reference/commandline/dockerd/#storage-driver-options" storage-driver=devicemapper
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=warning msg="Usage of loopback devices is strongly discouraged for production use. Please use `--storage-opt dm.thinpooldev` or use `man dockerd` to refer to dm.thinpooldev section." storage-driver=devicemapper
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=info msg="Creating filesystem xfs on device docker-0:66-14779-base, mkfs args: [/dev/mapper/docker-0:66-14779-base]" storage-driver=devicemapper
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=info msg="Successfully created filesystem xfs on device docker-0:66-14779-base" storage-driver=devicemapper
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=warning msg="unmountAndDeactivate: open /tmp/docker-graphtest-83922602/devicemapper/mnt: no such file or directory" storage-driver=devicemapper
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=error msg="Udev sync is not supported. This will lead to data loss and unexpected behavior. Install a more recent version of libdevmapper or select a different storage driver. For more information, see https://docs.docker.com/engine/reference/commandline/dockerd/#storage-driver-options" storage-driver=devicemapper
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=error msg="Error get loopback backing file: no such device or address"
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=error msg="Error get loopback backing file: no such device or address"
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=warning msg="Usage of loopback devices is strongly discouraged for production use. Please use `--storage-opt dm.thinpooldev` or use `man dockerd` to refer to dm.thinpooldev section." storage-driver=devicemapper
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=warning msg="Base device already exists and has filesystem xfs on it. User specified filesystem  will be ignored." storage-driver=devicemapper
[2022-12-29T16:11:22.430Z]     devmapper_test.go:124: data or metadata loop back size is incorrect
[2022-12-29T16:11:22.430Z] time="2022-12-29T16:10:19Z" level=warning msg="unmountAndDeactivate: open /tmp/docker-graphtest-83922602/devicemapper/mnt: no such file or directory" storage-driver=devicemapper

thaJeztah
thaJeztah approved these changes Dec 29, 2022
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@neersighted
Revert "seccomp: block socket calls to AF_VSOCK in default profile"
dcf27af 
This reverts commit 57b2290.

This change, while favorable from a security standpoint, caused a
regression for users of the 20.10 branch of Moby. As such, we are
reverting it to ensure stability and compatibility for the affected
users.

However, users of AF_VSOCK in containers should recognize that this
(special) address family is not currently namespaced in any version of
the Linux kernel, and may result in unexpected behavior, like VMs
communicating directly with host hypervisors.

Future branches, including the 23.0 branch, will continue to filter
AF_VSOCK. Users who need to allow containers to communicate over the
unnamespaced AF_VSOCK will need to turn off seccomp confinement or set a
custom seccomp profile.

It is our hope that future mechanisms will make this more
ergonomic/maintainable for end users, and that future kernels will
support namespacing of AF_VSOCK.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
@neersighted
Copy link
Member Author

Pushed a version that drops a bad whitespace change that failed validation.

@thaJeztah
Copy link
Member

Failure on Windows is unrelated, and a known flaky test (#38521)

=== FAIL: github.com/docker/docker/integration-cli TestDockerSuite/TestStartReturnCorrectExitCode (9.82s)
    docker_cli_start_test.go:209: assertion failed: expected an error, got nil
    --- FAIL: TestDockerSuite/TestStartReturnCorrectExitCode (9.82s)

@thaJeztah thaJeztah merged commit ae6a931 into moby:20.10 Dec 29, 2022
@neersighted neersighted deleted the 20.10_revert_vsock_filter branch December 29, 2022 22:20
thomlinton added a commit to PSU-OIT-ARC/oregoninvasiveshotline that referenced this pull request Nov 1, 2023
@thomlinton
Disables uWSGI python auto reload.
604aaa5 
Refs: PSU-OIT-ARC/oregon-registry-online@5b7a642

It appears that there are strange interactions when running uWSGI with
the python-auto-reload option on Docker Engine 23.

When code changes are detected and the worker(s) are reloaded, traffic
between the proxy and application container appears to hang and the
processes representing the application containers continue to consume
100% of CPU resources.

Superficially, it appears this issue is related to seccomp changes
released in Docker Engine 23 and backported to Docker Engine 20 (though
subsequenctly reverted).

Refs: https://stackoverflow.com/questions/75511524/nginxuwsgi-stops-responding-after-auto-reload
Refs: https://docs.docker.com/engine/release-notes/23.0/
Refs: moby/moby#44563
Refs: moby/moby#44712
thomlinton added a commit to PSU-OIT-ARC/aol-backend that referenced this pull request Jan 25, 2024
@thomlinton
Uses gunicorn WSGI server for development environment.
0b3ecc9 
It appears that there are strange interactions when running uWSGI with
the python-auto-reload option on Docker Engine 23.

When code changes are detected and the worker(s) are reloaded, traffic
between the proxy and application container appears to hang and the
processes representing the application containers continue to consume
100% of CPU resources.

Superficially, it appears this issue is related to seccomp changes
released in Docker Engine 23 and backported to Docker Engine 20 (though
subsequenctly reverted).

Refs: https://stackoverflow.com/questions/75511524/nginxuwsgi-stops-responding-after-auto-reload
Refs: https://docs.docker.com/engine/release-notes/23.0/
Refs: moby/moby#44563
Refs: moby/moby#44712
thomlinton added a commit to PSU-OIT-ARC/oregoninvasiveshotline that referenced this pull request Feb 7, 2024
@thomlinton
Uses gunicorn WSGI server for development environment.
edd0e7d 
It appears that there are strange interactions when running uWSGI with
the python-auto-reload option on Docker Engine 23.

When code changes are detected and the worker(s) are reloaded, traffic
between the proxy and application container appears to hang and the
processes representing the application containers continue to consume
100% of CPU resources.

Superficially, it appears this issue is related to seccomp changes
released in Docker Engine 23 and backported to Docker Engine 20 (though
subsequenctly reverted).

Refs: https://stackoverflow.com/questions/75511524/nginxuwsgi-stops-responding-after-auto-reload
Refs: https://docs.docker.com/engine/release-notes/23.0/
Refs: moby/moby#44563
Refs: moby/moby#44712
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees
No one assigned
Labels
area/security impact/changelog status/2-code-review
Projects
None yet
Milestone
20.10.23
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@neersighted @thaJeztah