Recommended update for Docker, RunC, Containerd

SUSE Recommended Update: Recommended update for Docker, RunC, Containerd

---

Announcement ID:	SUSE-RU-2017:1965-1
Rating:	moderate
References:	#1026827 #1028113 #1028638 #1028639 #1030702 #1032287 #1032644 #1032769 #1034053 #1034063 #1037436 #1037607 #1038476 #1038493 #1040618 #953182 #964546 #996303
Affected Products:	SUSE OpenStack Cloud 6 SUSE Linux Enterprise Module for Containers 12 OpenStack Cloud Magnum Orchestration 7

---

An update that solves one vulnerability and has 17 fixes is now available.

Description:

This update for Containerd, Docker and RunC provides several fixes and
enhancements.

Containerd:

- Update containerd to the version needed for docker-v17.04.0-ce.
(bsc#1034053)
- Fix spurious messages filling journal. (bsc#1032769)
- Set TasksMax=infinity to make sure runC doesn't start failing randomly.

Docker:

- Update to version 17.04.0-ce. (bsc#1034053)
- Fix execids leaks due to bad error handling. (bsc#1037436)
- Make Apparmor's pkg/aaparser work on read-only root. (bsc#1037607)
- Improve Docker's systemd configuration. (bsc#1032287)
- Check if the docker binary is available before attempting to use it.
(bsc#1038476)
- Build man pages for all architectures. (bsc#953182)
- Fix DNS resolution when Docker host uses 127.0.0.1 as resolver.
(bsc#1034063)
- Enable Delegate=yes, since systemd will safely ignore lvalues it doesn't
understand.
- Update SUSE secrets patch to handle bsc#1030702.
- Change lvm2 from Requires to Recommends: Docker usually uses a default
storage driver, when it's not configured explicitly. This default driver
then depends on the underlying system and gets chosen during
installation. (bsc#1032644)
- Disable libseccomp for Leap 42.1, SLE 12 and 12-SP1, because docker
needs a higher version. Otherwise, we get the error "conditional
filtering requires libseccomp version >= 2.2.1. (bsc#1028639,
bsc#1028638)
- Add a backport of fix to AppArmor lazy loading docker-exec case.
- Fix systemd TasksMax default which could throttle docker. (bsc#1026827)
- Enable pkcs11

For a comprehensive list of changes please refer to
/usr/share/doc/packages/docker/CHANGELOG.md

RunC:

- Update version to the one required by docker-17.04.0-ce. (bsc#1034053)
- Make sure to ignore cgroup v2 mountpoints. (bsc#1028113)

Patch Instructions:

To install this SUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 6:
  zypper in -t patch SUSE-OpenStack-Cloud-6-2017-1143=1
• SUSE Linux Enterprise Module for Containers 12:
  zypper in -t patch SUSE-SLE-Module-Containers-12-2017-1143=1
• OpenStack Cloud Magnum Orchestration 7:
  zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-1143=1

To bring your system up-to-date, use "zypper patch".

Package List:

• SUSE OpenStack Cloud 6 (x86_64):
  • containerd-0.2.5+gitr639_422e31c-20.2
  • containerd-debuginfo-0.2.5+gitr639_422e31c-20.2
  • containerd-debugsource-0.2.5+gitr639_422e31c-20.2
  • docker-17.04.0_ce-98.2
  • docker-debuginfo-17.04.0_ce-98.2
  • docker-debugsource-17.04.0_ce-98.2
  • docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1
  • docker-libnetwork-debuginfo-0.0.0+git20170119.7b2b1fe-4.1
  • golang-github-docker-libnetwork-debugsource-0.0.0+git20170119.7b2b1fe-4.1
  • runc-0.1.1+gitr2947_9c2d8d1-20.3
  • runc-debuginfo-0.1.1+gitr2947_9c2d8d1-20.3
  • runc-debugsource-0.1.1+gitr2947_9c2d8d1-20.3
• SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64):
  • containerd-0.2.5+gitr639_422e31c-20.2
  • containerd-debuginfo-0.2.5+gitr639_422e31c-20.2
  • containerd-debugsource-0.2.5+gitr639_422e31c-20.2
  • docker-17.04.0_ce-98.2
  • docker-debuginfo-17.04.0_ce-98.2
  • docker-debugsource-17.04.0_ce-98.2
  • docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1
  • docker-libnetwork-debuginfo-0.0.0+git20170119.7b2b1fe-4.1
  • golang-github-docker-libnetwork-debugsource-0.0.0+git20170119.7b2b1fe-4.1
  • runc-0.1.1+gitr2947_9c2d8d1-20.3
  • runc-debuginfo-0.1.1+gitr2947_9c2d8d1-20.3
  • runc-debugsource-0.1.1+gitr2947_9c2d8d1-20.3
• SUSE Linux Enterprise Module for Containers 12 (x86_64):
  • docker-distribution-registry-2.6.1-15.2
• OpenStack Cloud Magnum Orchestration 7 (x86_64):
  • containerd-0.2.5+gitr639_422e31c-20.2
  • containerd-debuginfo-0.2.5+gitr639_422e31c-20.2
  • containerd-debugsource-0.2.5+gitr639_422e31c-20.2
  • docker-17.04.0_ce-98.2
  • docker-debuginfo-17.04.0_ce-98.2
  • docker-debugsource-17.04.0_ce-98.2
  • docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1
  • docker-libnetwork-debuginfo-0.0.0+git20170119.7b2b1fe-4.1
  • golang-github-docker-libnetwork-debugsource-0.0.0+git20170119.7b2b1fe-4.1
  • runc-0.1.1+gitr2947_9c2d8d1-20.3
  • runc-debuginfo-0.1.1+gitr2947_9c2d8d1-20.3
  • runc-debugsource-0.1.1+gitr2947_9c2d8d1-20.3

References:

• https://www.suse.com/security/cve/CVE-2017-8932.html
• https://bugzilla.suse.com/1026827
• https://bugzilla.suse.com/1028113
• https://bugzilla.suse.com/1028638
• https://bugzilla.suse.com/1028639
• https://bugzilla.suse.com/1030702
• https://bugzilla.suse.com/1032287
• https://bugzilla.suse.com/1032644
• https://bugzilla.suse.com/1032769
• https://bugzilla.suse.com/1034053
• https://bugzilla.suse.com/1034063
• https://bugzilla.suse.com/1037436
• https://bugzilla.suse.com/1037607
• https://bugzilla.suse.com/1038476
• https://bugzilla.suse.com/1038493
• https://bugzilla.suse.com/1040618
• https://bugzilla.suse.com/953182
• https://bugzilla.suse.com/964546
• https://bugzilla.suse.com/996303