compatibility of runc 1.1.12 with CentOS 7.9

[arun2arunraj]

hi Team,

We are running our production system in CentOS 7.9.

We would like to address this issue for our environment https://nvd.nist.gov/vuln/detail/CVE-2024-21626

The above mentioned vulnerability has been fixed in the 1.1.12 release. We see runc 1.1.12 has a dependency with the libseccomp as well.

1. Are we tested to upgrade the runc into 1.1.12 for the CentOS 7.9 ? ( And it is advisable to try out this integration ? -- We have official support for the CentOS for production up to end of this year )

2. Is it mandatory to upgrade the libseccomp v2.5.5 when we upgrade the runc into 1.1.12 ?

[AkihiroSuda]

runc 1.1.12 is tested on CentOS 7.9 with libseccomp 2.3.1

https://cirrus-ci.com/task/5994735848914944

[arun2arunraj]

@AkihiroSuda : Trying to build binary for the CentOS 7.9 kernel and getting the following error. what is required to ensure the static binaries for the intel x86_64 architecture.

`go build -v -trimpath "-buildmode=pie" -tags "seccomp" -gcflags "-I seccomp" -ldflags "-L '/var/v0.6/go-projects/src/github.com/opencontainers/runc/vendor/github.com/seccomp/libseccomp-golang' -X 'main.gitCommit=v1.1.12-0-g51d5e94' -X 'main.version=1.1.12'" -o runc .

github.com/opencontainers/runc

/usr/local/go/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_C2func_seccomp_notify_id_valid': /tmp/go-build/cgo-gcc-prolog:59: undefined reference to seccomp_notify_id_valid'
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_C2func_seccomp_notify_receive': /tmp/go-build/cgo-gcc-prolog:84: undefined reference to seccomp_notify_receive'
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_C2func_seccomp_notify_respond': /tmp/go-build/cgo-gcc-prolog:109: undefined reference to seccomp_notify_respond'
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_Cfunc_seccomp_api_get': /tmp/go-build/cgo-gcc-prolog:220: undefined reference to seccomp_api_get'
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_Cfunc_seccomp_api_set': /tmp/go-build/cgo-gcc-prolog:240: undefined reference to seccomp_api_set'
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_Cfunc_seccomp_notify_alloc': /tmp/go-build/cgo-gcc-prolog:303: undefined reference to seccomp_notify_alloc'
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_Cfunc_seccomp_notify_fd': /tmp/go-build/cgo-gcc-prolog:322: undefined reference to seccomp_notify_fd'
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_Cfunc_seccomp_notify_id_valid': /tmp/go-build/cgo-gcc-prolog:356: undefined reference to seccomp_notify_id_valid'
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_Cfunc_seccomp_notify_receive': /tmp/go-build/cgo-gcc-prolog:377: undefined reference to seccomp_notify_receive'
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_Cfunc_seccomp_notify_respond': /tmp/go-build/cgo-gcc-prolog:398: undefined reference to seccomp_notify_respond'
/tmp/go-link-3134961496/000030.o: In function _cgo_17afc0d48614_Cfunc_seccomp_notify_free': /tmp/go-build/cgo-gcc-prolog:338: undefined reference to seccomp_notify_free'`

pwd=/var/v0.6/go-projects/src/github.com/opencontainers/runc

export PATH=$PATH:/usr/local/go/bin
export GOPATH=/var/v0.6/go-projects
export GOCACHE=/var/v0.6/go-projects/.cache/go-build
export GOENV=/var/v0.6/go-projects/.config/go/env

[AkihiroSuda]

make should just work after installing these packages:
https://github.com/opencontainers/runc/blob/v1.1.12/.cirrus.yml#L80
https://github.com/opencontainers/runc/blob/v1.1.12/.cirrus.yml#L82
https://github.com/opencontainers/runc/blob/v1.1.12/.cirrus.yml#L103

[arun2arunraj]

@AkihiroSuda : We are assuming the runc binary which has been packaged will not support the CentOS 7.9 kernel which we have in the production. So we tried to attempt manually and facing the above issues.

[AkihiroSuda]

This package contains runc 1.1.12 for CentoS 7.9
https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.6.28-3.1.el7.x86_64.rpm

[arun2arunraj]

hi @AkihiroSuda :

RPM actually, upgrades many binaries like containerd, containerd-shim, ctr, containerd-shim-runc-v1 and containerd-shim-runc-v2.

We would like to only upgrade runc to overcome the vulnerability.

Is it mandate to be upgrade all other binaries ? Is it have any dependencies and discrepancies. I have gone through the release notes. But I couldn't find one. Any help would be much appreciated.

[AkihiroSuda]

You may use rpm2cpio or something to extract the runc binary from the RPM

[arun2arunraj]

@AkihiroSuda :
So Is it advisable to upgrade the runc upgrade alone ?

[AkihiroSuda]

Yes

[arun2arunraj]

@AkihiroSuda :
After upgrading the rpm, we could see the spec version as old one. Is it expected one ?

runc --version
runc version 1.1.12
commit: v1.1.12-0-g51d5e94
spec: 1.0.2-dev
go: go1.20.13
libseccomp: 2.3.1

[AkihiroSuda]

Expected