[25.0 backport] libnet: Don't forward to upstream resolvers on internal nw #47589
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vvoland
added
kind/enhancement
Thank you ... I think the test is probably failing because it relies on env var DOCKER_TEST_RESOLV_CONF_PATH to point the daemon at the test's own resolv.conf instead of the host's - and that env var was also added by the resolvconf refactoring. We could either just not-backport the test (and test it manually), or backport the container_operations.go change from that PR? |
If env var DOCKER_TEST_RESOLV_CONF_PATH is set, treat it as an override for the 'resolv.conf' path. Added as part of resolv.conf refactoring, but needed by back-ported test TestInternalNetworkDNS. Signed-off-by: Rob Murray <rob.murray@docker.com>
Commit cbc2a71 makes `connect` syscall fail fast when a container is only attached to an internal network. Thanks to that, if such a container tries to resolve an "external" domain, the embedded resolver returns an error immediately instead of waiting for a timeout. This commit makes sure the embedded resolver doesn't even try to forward to upstream servers. Co-authored-by: Albin Kerouanton <albinker@gmail.com> Signed-off-by: Rob Murray <rob.murray@docker.com> (cherry picked from commit 790c303) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
I did that. |
|
Thanks! "LGTM" 😄 |
robmry
approved these changes
Mar 19, 2024
There was a problem hiding this comment.
LGTM too ... but I guess that's cheating! @akerouanton, could you take a look?
neersighted
approved these changes
Mar 19, 2024
anarkiwi
added a commit
to anarkiwi/dovesnap
that referenced
this pull request
Apr 22, 2024
idodod
added a commit
to earthly/dind
that referenced
this pull request
Apr 22, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/docker](https://togithub.com/docker/docker) | patch | `25.0.1` -> `25.0.5` | --- ### Release Notes <details> <summary>docker/docker (docker/docker)</summary> ### [`v25.0.5`](https://togithub.com/moby/moby/releases/tag/v25.0.5) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.4...v25.0.5) #### 25.0.5 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 25.0.5 milestone](https://togithub.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.5) - [moby/moby, 25.0.5 milestone](https://togithub.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.5) - Deprecated and removed features, see [Deprecated Features](https://togithub.com/docker/cli/blob/v25.0.5/docs/deprecated.md). - Changes to the Engine API, see [API version history](https://togithub.com/moby/moby/blob/v25.0.5/docs/api/version-history.md). ##### Security This release contains a security fix for [CVE-2024-29018], a potential data exfiltration from 'internal' networks via authoritative DNS servers. ##### Bug fixes and enhancements - [CVE-2024-29018]: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. [moby/moby#47589](https://togithub.com/moby/moby/pull/47589) - plugin: fix mounting /etc/hosts when running in UserNS. [moby/moby#47588](https://togithub.com/moby/moby/pull/47588) - rootless: fix `open /etc/docker/plugins: permission denied`. [moby/moby#47587](https://togithub.com/moby/moby/pull/47587) - Fix multiple parallel `docker build` runs leaking disk space. [moby/moby#47527](https://togithub.com/moby/moby/pull/47527) [CVE-2024-29018]: https://togithub.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx ### [`v25.0.4`](https://togithub.com/moby/moby/releases/tag/v25.0.4) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.3...v25.0.4) #### 25.0.4 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 25.0.4 milestone](https://togithub.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.4) - [moby/moby, 25.0.4 milestone](https://togithub.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.4) - Deprecated and removed features, see [Deprecated Features](https://togithub.com/docker/cli/blob/v25.0.4/docs/deprecated.md). - Changes to the Engine API, see [API version history](https://togithub.com/moby/moby/blob/v25.0.4/docs/api/version-history.md). ##### Bug fixes and enhancements - Restore DNS names for containers in the default "nat" network on Windows. [moby/moby#47490](https://togithub.com/moby/moby/pull/47490) - Fix `docker start` failing when used with `--checkpoint` [moby/moby#47466](https://togithub.com/moby/moby/pull/47466) - Don't enforce new validation rules for existing swarm networks [moby/moby#47482](https://togithub.com/moby/moby/pull/47482) - Restore IP connectivity between the host and containers on an internal bridge network. [moby/moby#47481](https://togithub.com/moby/moby/pull/47481) - Fix a regression introduced in v25.0 that prevented the classic builder from ADDing a tar archive with xattrs created on a non-Linux OS [moby/moby#47483](https://togithub.com/moby/moby/pull/47483) - containerd image store: Fix image pull not emitting `Pulling fs layer` status [moby/moby#47484](https://togithub.com/moby/moby/pull/47484) ##### API - To preserve backwards compatibility, make read-only mounts not recursive by default when using older clients (API version < v1.44). [moby/moby#47393](https://togithub.com/moby/moby/pull/47393) - `GET /images/{id}/json` omits the `Created` field (previously it was `0001-01-01T00:00:00Z`) if the `Created` field is missing from the image config. [moby/moby#47451](https://togithub.com/moby/moby/pull/47451) - Populate a missing `Created` field in `GET /images/{id}/json` with `0001-01-01T00:00:00Z` for API version <= 1.43. [moby/moby#47387](https://togithub.com/moby/moby/pull/47387) - Fix a regression that caused API socket connection failures to report an API version negotiation failure instead. [moby/moby#47470](https://togithub.com/moby/moby/pull/47470) - Preserve supplied endpoint configuration in a container-create API request, when a container-wide MAC address is specified, but `NetworkMode` name-or-id is not the same as the name-or-id used in `NetworkSettings.Networks`. [moby/moby#47510](https://togithub.com/moby/moby/pull/47510) ##### Packaging updates - Upgrade Go runtime to [1.21.8](https://go.dev/doc/devel/release#go1.21.8). [moby/moby#47503](https://togithub.com/moby/moby/pull/47503) - Upgrade RootlessKit to [v2.0.2](https://togithub.com/rootless-containers/rootlesskit/releases/tag/v2.0.2). [moby/moby#47508](https://togithub.com/moby/moby/pull/47508) - Upgrade Compose to [v2.24.7](https://togithub.com/docker/compose/releases/tag/v2.24.7). [docker/docker-ce-packaging#998 - Upgrade Buildx to [v0.13.0](https://togithub.com/docker/buildx/releases/tag/v0.13.0). [docker/docker-ce-packaging#997 **Full Changelog**: moby/moby@v25.0.3...v25.0.4 ### [`v25.0.3`](https://togithub.com/moby/moby/releases/tag/v25.0.3) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.2...v25.0.3) #### 25.0.3 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 25.0.3 milestone](https://togithub.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.3) - [moby/moby, 25.0.3 milestone](https://togithub.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.3) ##### Bug fixes and enhancements - containerd image store: Fix a bug where `docker image history` would fail if a manifest wasn't found in the content store. [moby/moby#47348](https://togithub.com/moby/moby/pull/47348) - Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. [moby/moby#47304](https://togithub.com/moby/moby/pull/47304) > **Note** > > - Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses. > They must be re-created. > - Containers with user-defined MAC addresses created with Docker Engine versions 25.0.0 or 25.0.1 > receive new MAC addresses when started using Docker Engine version 25.0.2. > They must also be re-created. <!----> - Fix `docker save <image>@​<digest>` producing an OCI archive with index without manifests. [moby/moby#47294](https://togithub.com/moby/moby/pull/47294) - Fix a bug preventing bridge networks from being created with an MTU higher than 1500 on RHEL and CentOS 7. [moby/moby#47308](https://togithub.com/moby/moby/issues/47308), [moby/moby#47311](https://togithub.com/moby/moby/pull/47311) - Fix a bug where containers are unable to communicate over an `internal` network. [moby/moby#47303](https://togithub.com/moby/moby/pull/47303) - Fix a bug where the value of the `ipv6` daemon option was ignored. [moby/moby#47310](https://togithub.com/moby/moby/pull/47310) - Fix a bug where trying to install a pulling using a digest revision would cause a panic. [moby/moby#47323](https://togithub.com/moby/moby/pull/47323) - Fix a potential race condition in the managed containerd supervisor. [moby/moby#47313](https://togithub.com/moby/moby/pull/47313) - Fix an issue with the `journald` log driver preventing container logs from being followed correctly with systemd version 255. [moby/moby47243](https://togithub.com/moby/moby/pull/47243) - seccomp: Update the builtin seccomp profile to include syscalls added in kernel v5.17 - v6.7 to align the profile with the profile used by containerd. [moby/moby#47341](https://togithub.com/moby/moby/pull/47341) - Windows: Fix cache not being used when building images based on Windows versions older than the host's version. [moby/moby#47307](https://togithub.com/moby/moby/pull/47307), [moby/moby#47337](https://togithub.com/moby/moby/pull/47337) ##### Packaging updates - Removed support for Ubuntu Lunar (23.04). [docker/ce-packaging#986](https://togithub.com/docker/docker-ce-packaging/pull/986) ### [`v25.0.2`](https://togithub.com/moby/moby/releases/tag/v25.0.2) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.1...v25.0.2) #### 25.0.2 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 25.0.2 milestone](https://togithub.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.2) - [moby/moby, 25.0.2 milestone](https://togithub.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.2) ##### Security This release contains security fixes for the following CVEs affecting Docker Engine and its components. | CVE | Component | Fix version | Severity | | ----------------------------------------------------------- | ------------- | ----------- | ---------------- | | [CVE-2024-21626](https://scout.docker.com/v/CVE-2024-21626) | runc | 1.1.12 | High, CVSS 8.6 | | [CVE-2024-23651](https://scout.docker.com/v/CVE-2024-23651) | BuildKit | 1.12.5 | High, CVSS 8.7 | | [CVE-2024-23652](https://scout.docker.com/v/CVE-2024-23652) | BuildKit | 1.12.5 | High, CVSS 8.7 | | [CVE-2024-23653](https://scout.docker.com/v/CVE-2024-23653) | BuildKit | 1.12.5 | High, CVSS 7.7 | | [CVE-2024-23650](https://scout.docker.com/v/CVE-2024-23650) | BuildKit | 1.12.5 | Medium, CVSS 5.5 | | [CVE-2024-24557](https://scout.docker.com/v/CVE-2024-24557) | Docker Engine | 25.0.2 | Medium, CVSS 6.9 | The potential impacts of the above vulnerabilities include: - Unauthorized access to the host filesystem - Compromising the integrity of the build cache - In the case of CVE-2024-21626, a scenario that could lead to full container escape For more information about the security issues addressed in this release, refer to the [blog post](https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/). For details about each vulnerability, see the relevant security advisory: - [CVE-2024-21626](https://togithub.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv) - [CVE-2024-23651](https://togithub.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv) - [CVE-2024-23652](https://togithub.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8) - [CVE-2024-23653](https://togithub.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g) - [CVE-2024-23650](https://togithub.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx) - [CVE-2024-24557](https://togithub.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc) ##### Packaging updates - Upgrade containerd to [v1.6.28](https://togithub.com/containerd/containerd/releases/tag/v1.6.28). - Upgrade containerd to v1.7.13 (static binaries only). [moby/moby#47280](https://togithub.com/moby/moby/pull/47280) - Upgrade runc to v1.1.12. [moby/moby#47269](https://togithub.com/moby/moby/pull/47269) - Upgrade Compose to v2.24.5. [docker/docker-ce-packaging#985](https://togithub.com/docker/docker-ce-packaging/pull/985) - Upgrade BuildKit to v0.12.5. [moby/moby#47273](https://togithub.com/moby/moby/pull/47273) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/earthly/dind). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yOTMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZSJdfQ==--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: idodod <ido@earthly.dev>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
Picked up Albin's change from #46609 - and added a regression test.
Commit cbc2a71 makes
connectsyscall fail fast when a container is only attached to an internal network. Thanks to that, if such a container tries to resolve an "external" domain, the embedded resolver returns an error immediately instead of waiting for a timeout.This commit makes sure the embedded resolver doesn't even try to forward to upstream servers - this is important when the host's DNS server is running on a localhost address. In this case, the internal resolver's upstream DNS requests are made from the host's network namespace, so they work even when the network is declared as 'internal'. Communication with external DNS servers is unexpected for an internal network.
- How Albin did it
Add a way to enable/disable upstream forwarding to the embedded resolver. When an endpoint joins/leaves a sandbox, this forwarding policy is modified based on whether there's an endpoint providing external connectivity.
- How to verify it
New regression test.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)