Bug 1738599
| Summary: | Source secret injection fails with docker CVE-2018-15664 patch | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Adam Kaplan <adam.kaplan> |
| Component: | Build | Assignee: | Gabe Montero <gmontero> |
| Status: | CLOSED DUPLICATE | QA Contact: | wewang <wewang> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.9.0 | CC: | aos-bugs, cshereme, ggore, j.bodsworth, lkrzyzan, wzheng |
| Target Milestone: | --- | ||
| Target Release: | 3.11.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-20 13:52:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Targeting fix for 3.11.z as this is not an issue for OpenShift 4 (does not use Docker). I have had the same issue in Openshift Container Platform 3.11.98 and 3.11.129. One cluster was working (successfully building) whilst another was not. After careful examination, the working cluster was running docker 1.13.1-96 and the cluster with the problem was running docker version 1.13.1-102. It is clear that the introduction of the following fix has had a detrimental effect on s2i builds at the injection stage: Bug 1714722 (CVE-2018-15664) - CVE-2018-15664 docker: symlink-exchange race attacks in docker cp Downgrading docker works for now, however will be submitting a ticket to Red Hat to have this resolved in Openshift 3.11. Duplicated by 1739315, where work is being actively tracked. *** This bug has been marked as a duplicate of bug 1739315 *** |
Description of problem: Hi, I am running BuildConfig with s2i strategy on OKD 3.9 cluster and I am getting error: ``` {"message":"Error processing tar file(exit status 1): invalid symlink \"/tmp/..data\" -> \"..2019_08_06_16_00_26.551658995\""} ERROR: Error occurred during injecting "/var/run/secrets/openshift.io/build/maven-setting" to "/tmp": Error response from daemon: {"message":"Error processing tar file(exit status 1): invalid symlink \"/tmp/..data\" -> \"..2019_08_06_16_00_26.551658995\""} ``` My BuidConfig is: ``` apiVersion: build.openshift.io/v1 kind: BuildConfig spec: source: secrets: - destinationDir: /tmp secret: name: maven-setting ``` Version of Docker daemon on compute node with failed build: ``` Package version: docker-1.13.1-102.git7f2769b.el7.centos.x86_64 Go version: go1.10.3 ``` Errors don`t occurs when I roll back docker package version to the older version: ``` Package version: docker-1.13.1-88.git07f3374.el7.centos.x86_64 Go version: go1.9.4 ``` I found that it is due to this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1714722 Any plans to fix s2i secrets injection with CVE-2018-15664 fix in docker package? Version-Release number of selected component (if applicable): OKD 3.9 Additional info: Originally reported on Github: https://github.com/openshift/source-to-image/issues/987