Ubuntu
docker.io package

Merge ~bryce/ubuntu/+source/docker.io:sru-lp1870514-docker-dh-hirsute into ubuntu/+source/docker.io:ubuntu/devel

  1. Git
  2. lp:~bryce/ubuntu/+source/docker.io
  3. sru-lp1870514-docker-dh-hirsute
  4. Merge into ubuntu/devel
Proposed by Bryce Harrington
Status: Merged
Approved by: Lucas Kanashiro
Approved revision: bac882fd61ef0aa92e19095b8b4eaaa984b2adb6
Merged at revision: bac882fd61ef0aa92e19095b8b4eaaa984b2adb6
Proposed branch: ~bryce/ubuntu/+source/docker.io:sru-lp1870514-docker-dh-hirsute
Merge into: ubuntu/+source/docker.io:ubuntu/devel
Diff against target: 111 lines (+80/-0)
4 files modified
debian/changelog (+12/-0)
debian/patches/do-not-bind-docker-to-containerd.patch (+64/-0)
debian/patches/series (+1/-0)
debian/rules (+3/-0)
Reviewer Review Type Date Requested Status
Steve Langasek (community) Approve
Michael Hudson-Doyle Pending
Paulo Flabiano Smorigo Pending
git-ubuntu bot Pending
Dimitri John Ledkov Pending
Canonical Server Pending
Canonical Server packageset reviewers Pending
Review via email: mp+394913@code.launchpad.net

Description of the change

This addresses two separate but related issues. First that docker.io and containerd are too tightly coupled, such that reinstalling containerd can trigger docker.io's prerm to stop the service without restarting it, leading to an outage. Second, it disables docker.io's policy to automatically restart on package upgrade. We found both fixes are required for a full solution to the problem.

Correcting this issue will help facilitate release of CVE-2020-15257 to containerd. This docker.io update will be coordinated with that security update.

While this MP targets hirsute, our intent is to roll the fix out to all supported versions of Ubuntu via the security pocket. Thus, please review with SRU-style requirements in mind.

Bugs: LP: #1906364, LP: #1870514
PPA: https://launchpad.net/~bryce/+archive/ubuntu/containerd-sru-lp1870514-docker-dh

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the MP, Bryce. I've reviewed it and it looks good (modulo a nit about "--no-restart-on-upgrade").

I'm not marking it as Approved yet because I will take a closer look later.

Revision history for this message
Bryce Harrington (bryce) wrote :

mwhudson, adding you as reviewer given your history with LP: #1658691. I want to make sure by implementing this change that it doesn't resurrect an issue fixed previously.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@Bryce - along the changes I've seen for containerd this looks rather good to me. The one related thing I wondered about is: Due to eventually no more restarting docker on upgrade would that imply that we'd now want to mark "needs reboot" (ok a needs a service restart, but until we have that granularity).

I say that because I can see a world where we correctly fixed the bug of restarting.
But then people might complain that upgrading to e.g. a new CVE fix version will keep them stay affected until a restart.
Flagging "need reboot" or such would at least make them aware.

Revision history for this message
Steve Langasek (vorlon) wrote :

The implementation here looks ok to me (mod Sergio's feedback).

Will there be a corresponding change to the containerd package declaring a Breaks: on versions of docker.io that don't implement this, to ensure docker.io is always upgraded to a fixed version first before containerd restarts?

review: Needs Information
Revision history for this message
Bryce Harrington (bryce) wrote :

I've added Sergio's feedback and repushed to this MP.

@Steve, yes, a breaks for containerd is a good idea.

@Christian, the approach we're taking seems to tie in with some underlying "service needs restarted" handling code (see https://i.imgur.com/2Za5dbQ.png). It would be worth doublechecking what happens if the user answers 'No', but perhaps it is already marking it as needs rebooting? If not, guess we'd just need to add to the prerm a reboot-needed touch like done in proposal X.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

I re-ran the test scenarios Sergio described in his email and all good. Thanks for all the work folks.

As Steve requested I submitted this PR adding a Breaks to containerd:

https://github.com/tianon/debian-containerd/pull/14

If everyone is happy we can upload both containerd and docker.io to Hirsute (as soon as Tianon approves my PR).

In our meeting earlier today Bryce mentioned that even with the fix the docker daemon will be restarted one more time, and a possible solution to avoid that would be to create another package which would try to change the prerm maintainer script before the update is performed. @Steve, do you think we need to be concerned about that? Or is the current solution good enough in your opinion?

Revision history for this message
Steve Langasek (vorlon) :
review: Approve
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Uploaded:

$ git push pkg upload/19.03.13-0ubuntu4
Enumerating objects: 21, done.
Counting objects: 100% (21/21), done.
Delta compression using up to 32 threads
Compressing objects: 100% (15/15), done.
Writing objects: 100% (15/15), 3.36 KiB | 1.68 MiB/s, done.
Total 15 (delta 8), reused 0 (delta 0)
To ssh://git.launchpad.net/ubuntu/+source/docker.io
 * [new tag] upload/19.03.13-0ubuntu4 -> upload/19.03.13-0ubuntu4
$ dput ubuntu ../docker.io_19.03.13-0ubuntu4_source.changes
Checking signature on .changes
gpg: ../docker.io_19.03.13-0ubuntu4_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: ../docker.io_19.03.13-0ubuntu4.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading docker.io_19.03.13-0ubuntu4.dsc: done.
  Uploading docker.io_19.03.13-0ubuntu4.debian.tar.xz: done.
  Uploading docker.io_19.03.13-0ubuntu4_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 7894341..2d88f98 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,15 @@
6+docker.io (19.03.13-0ubuntu4) hirsute; urgency=medium
7+
8+ * d/p/do_not_bind_docker_to_containerd.patch: Update docker.io to not
9+ stop when containerd is upgraded, by using Wants= rather than BindTo=.
10+ (LP: #1870514)
11+ * d/rules: Fix docker.io to not restart its service during package
12+ upgrades, to prevent service downtime from automatic updates via
13+ unattended-upgrade.
14+ (LP: #1906364)
15+
16+ -- Bryce Harrington <bryce@canonical.com> Fri, 04 Dec 2020 23:02:49 +0000
17+
18 docker.io (19.03.13-0ubuntu3) groovy; urgency=medium
19
20 * SECURITY UPDATE: Sensitive information disclosure
21diff --git a/debian/patches/do-not-bind-docker-to-containerd.patch b/debian/patches/do-not-bind-docker-to-containerd.patch
22new file mode 100644
23index 0000000..d2202cc
24--- /dev/null
25+++ b/debian/patches/do-not-bind-docker-to-containerd.patch
26@@ -0,0 +1,64 @@
27+From 22f15d4137cb5d090f13fc5d9093dc3085dce67b Mon Sep 17 00:00:00 2001
28+From: =?UTF-8?q?Micha=C5=82=20Kosek?= <mihao@users.noreply.github.com>
29+Date: Tue, 9 Jul 2019 15:34:13 +0200
30+Subject: [PATCH] Do not "Bind" docker "To" containerd.
31+
32+relates to https://github.com/docker/for-linux/issues/678
33+
34+When using the BindTo directive, Docker is permanently stopped by systemd
35+when containerd is temporarily killed and restarted;
36+
37+Using `Requires` achieves mostly the same, but defines a weaker dependency;
38+
39+https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Requires=
40+
41+> Requires=
42+>
43+> .. If this unit gets activated, the units listed will be activated as well.
44+> If one of the other units fails to activate, and an ordering dependency
45+> After= on the failing unit is set, this unit will not be started. Besides,
46+> with or without specifying After=, this unit will be stopped if one of the
47+> other units is explicitly stopped.
48+
49+We may want to look into using `Wants=` instead of `Requires=`, because
50+that allows docker to continue running if containerd is restarted, quoting
51+the systemd documentation:
52+
53+> Often, it is a better choice to use Wants= instead of Requires= in order
54+> to achieve a system that is more robust when dealing with failing services.
55+
56+Given that docker will likely still fail if the containerd socket is not
57+present, startup will fail if containerd is not running, but if containerd
58+is restarted, the docker daemon may be able to try reconnecting.
59+
60+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
61+---
62+ systemd/docker.service | 3 +--
63+ 1 file changed, 1 insertion(+), 2 deletions(-)
64+
65+Origin: upstream, https://github.com/docker/docker-ce-packaging/pull/508
66+Bug: https://github.com/docker/for-linux/issues/678
67+Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1870514
68+Reviewed-By: Bryce Harrington <bryce@canonical.com>
69+Description: This is a backport of upstream's patch, with the path to
70+ the docker.service modified and using Wants= rather than Requires=, for
71+ reasons outlined above (Requires= did not work). The After= target
72+ also differs from upstream (we don't carry commit 36bb01538.)
73+Last-Updated: 2020-12-02
74+
75+diff --git a/systemd/docker.service b/systemd/docker.service
76+index 9c1d9e6d37..0a6a3064a4 100644
77+--- a/components/packaging/systemd/docker.service
78++++ b/components/packaging/systemd/docker.service
79+@@ -1,10 +1,10 @@
80+ [Unit]
81+ Description=Docker Application Container Engine
82+ Documentation=https://docs.docker.com
83+-BindsTo=containerd.service
84+ After=network-online.target firewalld.service containerd.service
85+ Wants=network-online.target
86+ Requires=docker.socket
87++Wants=containerd.service
88+
89+ [Service]
90+ Type=notify
91diff --git a/debian/patches/series b/debian/patches/series
92index 9dddd87..f9393b5 100644
93--- a/debian/patches/series
94+++ b/debian/patches/series
95@@ -1,2 +1,3 @@
96 41518--apparmor-parser-beta.patch
97 CVE-2020-15157.patch
98+do-not-bind-docker-to-containerd.patch
99diff --git a/debian/rules b/debian/rules
100index 0b10b04..6eab5be 100755
101--- a/debian/rules
102+++ b/debian/rules
103@@ -124,5 +124,8 @@ override_dh_shlibdeps:
104 override_dh_auto_clean:
105 @# stop debhelper from doing "make clean"
106
107+override_dh_systemd_start:
108+ dh_systemd_start --package=docker.io --no-stop-on-upgrade
109+
110 %:
111 dh $@ --with=bash-completion,systemd

Subscribers

People subscribed via source and target branches