Merge ~bryce/ubuntu/+source/docker.io:sru-lp1870514-docker-dh-hirsute into ubuntu/+source/docker.io:ubuntu/devel
Status: | Merged | ||||||||
---|---|---|---|---|---|---|---|---|---|
Approved by: | Lucas Kanashiro | ||||||||
Approved revision: | bac882fd61ef0aa92e19095b8b4eaaa984b2adb6 | ||||||||
Merged at revision: | bac882fd61ef0aa92e19095b8b4eaaa984b2adb6 | ||||||||
Proposed branch: | ~bryce/ubuntu/+source/docker.io:sru-lp1870514-docker-dh-hirsute | ||||||||
Merge into: | ubuntu/+source/docker.io:ubuntu/devel | ||||||||
Diff against target: |
111 lines (+80/-0) 4 files modified
debian/changelog (+12/-0) debian/patches/do-not-bind-docker-to-containerd.patch (+64/-0) debian/patches/series (+1/-0) debian/rules (+3/-0) |
||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Langasek (community) | Approve | ||
Michael Hudson-Doyle | Pending | ||
Paulo Flabiano Smorigo | Pending | ||
git-ubuntu bot | Pending | ||
Dimitri John Ledkov | Pending | ||
Canonical Server | Pending | ||
Canonical Server packageset reviewers | Pending | ||
Review via email: mp+394913@code.launchpad.net |
Description of the change
This addresses two separate but related issues. First that docker.io and containerd are too tightly coupled, such that reinstalling containerd can trigger docker.io's prerm to stop the service without restarting it, leading to an outage. Second, it disables docker.io's policy to automatically restart on package upgrade. We found both fixes are required for a full solution to the problem.
Correcting this issue will help facilitate release of CVE-2020-15257 to containerd. This docker.io update will be coordinated with that security update.
While this MP targets hirsute, our intent is to roll the fix out to all supported versions of Ubuntu via the security pocket. Thus, please review with SRU-style requirements in mind.
Bugs: LP: #1906364, LP: #1870514
PPA: https:/
Thanks for the MP, Bryce. I've reviewed it and it looks good (modulo a nit about "--no-restart- on-upgrade" ).
I'm not marking it as Approved yet because I will take a closer look later.