The recently announced
container-confinement breakout for containers started with runc is interesting from
a few different perspectives.
For one, it affects more than just runc-based containers as privileged LXC-based containers (and likely
others) are also
affected, though the LXC-based variety are harder to compromise than the
runc ones.
But it also, once again, shows that privileged
containers are difficult perhaps impossible to create in a secure manner.
Beyond that, it
exploits some Linux kernel interfaces in novel ways and the fixes use a
perhaps lesser-known system call that was added to Linux less than five
years back.
On today s Fedora systems, a reboot cycle for a kernel update,
say is normally a fairly quick affair, but that is not always true. The
system will
wait for services to shut down cleanly and will wait for up to two minutes
before killing a service and moving on. A recent proposal to change the
default timeout to 15 seconds, while still allowing some services to
require more time, ran into more opposition than was perhaps anticipated.
Not everyone was comfortable shortening the timeout period, though the
decision has now been made to reduce it, but not as far as was proposed.