-
Spike
-
Resolution: Done
-
Critical
-
None
-
None
-
None
-
False
-
-
False
-
rhel-container-tools
-
-
Update impact statement for the OCPBUGS-65725 series:
Which 4.y.z to 4.y'.z' updates increase vulnerability?
- 4.20.4
- 4.19.19
- 4.18.29 (only in candidate channels)
- 4.17.44
- 4.16.53 (only in candidate channels)
- 4.14.59
- 4.12.83 (only in candidate channels)
Which types of clusters?
- Clusters utilizing the runc container runtime, which was the default at install time in OpenShift 4.17 and earlier. Clusters which were installed in those versions and upgraded to 4.18 or later retain the runc runtime, unless explicitly configured to default to crun (for example, with ContainerRuntimeConfig). Clusters which are installed in 4.18 and do not configure a runtime will use crun which is not known to be affected, because crun is the default for clusters installed in 4.18 and later.
What is the impact? Is it serious enough to warrant removing update recommendations?
- pods that set shareProcessNamespace: true AND hostNetwork: true may not start
- Common components which set this value are ODF and MetalLB FRR, others likely affected, these are just the ones which have had customer cases opened.
How involved is remediation?
- Please contact support to evaluate rolling back either the entire cluster or affected nodes
Is this a regression?
- Yes, in the versions listed above which received various runc updates.
- blocks
-
OCPBUGS-65725 shareProcessNamespace pods fail to start - runc
-
- ASSIGNED
-
- links to