View Issue Details

IDProjectCategoryView StatusLast Update
0017089CentOS-7dockerpublic2020-03-02 07:31
Reporterbitsbeats 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.7-1908 
Target VersionFixed in Version 
Summary0017089: runc version has issues when container pid 1 contains spaces in /proc/1/stat
DescriptionHey,

runc version has issues when container pid 1 contains spaces in /proc/1/stat. This bug was fixed in the upstream repo with this https://github.com/opencontainers/runc/pull/1136 pull request. Sadly the docker package in extras (1.13.1-108.git4ef4b30.el7.centos) ships an older version of runc.

We currently assume it comes from here https://github.com/projectatomic/runc/ (master branch) since the commit hash of docker info matches.

We also noticed that a runc package exists which ships a newer version of runc (which seems to be coming from the runc upstream repo https://github.com/opencontainers/runc). But dockers systemd service explicitly specifies its own runc binary.

The builds log contains the git hashes:
runc: https://buildlogs.centos.org/c7-extras.x86_64/runc/20190915140320/1.0.0-65.rc8.el7.centos.x86_64/build.log
docker: https://buildlogs.centos.org/c7-extras.x86_64/docker/20200121171404/1.13.1-108.git4ef4b30.el7.centos.x86_64/build.log
Steps To ReproduceAfter installing docker run a new container with a process with a space in /proc/1/stat

# docker run -d --rm --name cant_exec_me -it node:12-alpine -e "process.title = 'hi there'; setTimeout(() => {}, 100000)"

Try executing a command in that container

# docker exec -it cant_exec_me sh
rpc error: code = 2 desc = oci runtime error: exec failed: cannot exec a container that has run and stopped
Additional Informationdocker info:

Containers: 46
 Running: 29
 Paused: 0
 Stopped: 17
Images: 35
Server Version: 1.13.1
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: systemd
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc docker-runc
Default Runtime: docker-runc
Init Binary: /usr/libexec/docker/docker-init-current
containerd version: (expected: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1)
runc version: e45dd70447fb72ee4e1f6989173aa6c5dd492d87 (expected: 9df8b306d01f59d3a8029be411de015b7304dd8f)
init version: fec3683b971d9c3ef73f284f176672c44b448662 (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
 seccomp
  WARNING: You're not using the default seccomp profile
  Profile: /etc/docker/seccomp.json
 selinux
Kernel Version: 3.10.0-1062.12.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 3
CPUs: 6
Total Memory: 15.67 GiB
Name: REMOVED
ID: RX6V:NAPN:UDBV:YM4G:JT4T:QN5S:AWX6:54YG:6NEC:BBTY:OTHU:QO45
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Registries: docker.io (secure)
TagsNo tags attached.
abrt_hash
URL

Activities

bitsbeats

bitsbeats

2020-02-26 16:23

reporter   ~0036388

RHEL seems to have a newer package (-109) where this is fixed.
bitsbeats

bitsbeats

2020-02-26 16:36

reporter   ~0036389

https://bugzilla.redhat.com/show_bug.cgi?id=1793062
bitsbeats

bitsbeats

2020-02-26 17:05

reporter   ~0036390

Unsure about that, but is the current runc missing almost all commit since ee992e5ff7143ea3fedb1bb4aa88a41d65a0bd66? Including the CVE fixes?
bitsbeats

bitsbeats

2020-02-27 08:00

reporter   ~0036396

Quck update: the older version seems to be based of https://github.com/projectatomic/runc/commit/9c3c5f853ebf0ffac0d087e94daef462133b69c7

Seems like the package switched from the 1.3.1-rhel branch to master?
lsm5

lsm5

2020-02-28 13:47

developer   ~0036398

I guess this will get fixed after it's fixed in RHEL. I don't control the CentOS package, setting assignee to JohnnyHughes
bitsbeats

bitsbeats

2020-03-02 07:31

reporter   ~0036412

Maybe it's just that version -109 is not build for centos?

Issue History

Date Modified Username Field Change
2020-02-26 15:53 bitsbeats New Issue
2020-02-26 16:23 bitsbeats Note Added: 0036388
2020-02-26 16:36 bitsbeats Note Added: 0036389
2020-02-26 17:05 bitsbeats Note Added: 0036390
2020-02-27 08:00 bitsbeats Note Added: 0036396
2020-02-28 13:47 lsm5 Note Added: 0036398
2020-03-02 07:31 bitsbeats Note Added: 0036412