This patch release include backports of security fixes and some bug fixes.
Security fixes included:
- Readonly bind-mounts are now mounted read-only on the host. With this fix, mounts are protected at VM boundary not just the guest kernel. If a container escape were to occur, one would be able to write to a directory or file that was mounted read-only.
- Certain annotations in kata can be used to execute pre-exiting binaries. This could be used to execute arbitrary binaries with the onus of validating these paths left to the stack about Kata. In this release, we added appropriate validations so that an admin can configure a list of file system paths that can be used to filter annotations that represent valid file names.
agent Changes
Shortlog
ce2107a release: Kata Containers 1.11.5
proxy Changes
Shortlog
369aaa6 release: Kata Containers 1.11.5
runtime Changes
Shortlog
362e312 release: Kata Containers 1.11.5
8e5c1c3 tests: Update assets test to adapt to recent changes
1231ce9 makefile: Enable hypervisor annotations by default
c2cbceb config: Rename 'runtime' to 'runtimeConfig'
7c1bf82 config: Improve comments in configuration file templates
57a29a8 config: Make configuration file comments consistent
f7493d7 annotations: Correct unit tests to validate new protections
e3efe73 annotations: Split addHypervisorOverrides to reduce complexity
50c126f annotations: Add unit test for checkPathIsInGlobs
069360c annotations: Add unit test for regexpContains function
14bb5f1 runtime: Fix firecracker config
4eb0029 makefile: Add missing generated vars to USER_VARS
0705db2 makefile: Improve names of config entries for annotation checks
f1c2a1c annotations: Give better names to local variabes in search functions
0d5d221 annotations: Rename checkPathIsInGlobList with checkPathIsInGlobs
96ba05f config: Add better comments in the template files
33021ef config: Whitelist hypervisor annotations by name
db5fb82 config: Use glob instead of regexp to match paths in annotations
344e338 annotations: Fix typo in comment
d3245a4 config: Add makefile variables for path lists
ba15b7e config: Protect file_mem_backend against annotation attacks
88b0544 config: Protect vhost_user_store_path against annotation attacks
7f381d5 config: Add security warning on configuration examples
4a753e8 config: Protect ctlpath from annotation attack
94076a6 config: Protect jailer_path annotation
14ef4df config: Add examples for path_list configuration
3d8ce2c annotations: Simplify negative logic
562a028 config: Add hypervisor path override through annotations
5848bec config: Fix typo in function name
4611567 config: Protect virtio_fs_daemon annotation
9ac0e93 config: Add 'List' alternates for hypervisor configuration paths
eca202e arm64: correct bridge type for QEMUVIRT machine
314bc3d gitignore: Ignore cli/containerd-shim-kata-v2/config-generated.go
951302f runtime: Ignore ENOENT in kill/delete
20fcb93 hypervisor: Remove unused methods
04dc0d9 annotations: Improve asset annotation handling
a47f7b3 annotations: Add missing hypervisor control annotation
2dd0fe6 asset: Formatting, grammar and whitespace
3f0e61c runtime: mount shared mountpoint readonly
228e6eb runtime: readonly mounts should be readonly bindmount on the host
0b7019b runtime: Call s.newStore.Destroy if globalSandboxList.addSandbox
054c4fb runtime: Don' call bindUnmountContainerRootfs for devicemapper device
ad3eec5 runtime: Fix /var/lib/vc/sbs/${sid} dir residual
d78780c virtiofs: Disable DAX
51d8592 virtiofsd: Use cache=auto
shim Changes
Shortlog
2a0e8a5 release: Kata Containers 1.11.5
Compatibility with Docker
Kata Containers 1.11.5 is compatible with Docker v18.06-ce
Compatibility with CRI-O
Kata Containers 1.11.5 is compatible with CRI-O 0eec454168e381e460b3d6de07bf50bfd9b0d082
Compatibility with cri-containerd
Kata Containers 1.11.5 is compatible with cri-contaienrd 3a4acfbc99aa976849f51a8edd4af20ead51d8d7
OCI Runtime Specification
Kata Containers 1.11.5 support the OCI Runtime Specification v1.0.0-rc5
Compatibility with Kubernetes
Kata Containers 1.11.5 is compatible with Kubernetes 1.17.3-00
Kata Linux Containers image
Agent version: 1.11.5
Default Image Guest OS:
description: |
Root filesystem disk image used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "ubuntu"
version: "latest"
ppc64le:
name: "centos"
version: "latest"
s390x:
name: "ubuntu"
version: "latest"
x86_64:
name: "clearlinux"
version: "latest"
meta:
image-type: "clearlinux"
Default Initrd Guest OS:
description: |
Root filesystem initrd used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "alpine"
version: "3.7"
ppc64le:
name: "alpine"
version: "3.7"
s390x:
name: "alpine"
version: "3.7"
x86_64:
name: "alpine"
version: "3.7"
Kata Linux Containers Kernel
Kata Containers 1.11.5 suggest to use the Linux kernel v5.4.32
See the kernel suggested Guest Kernel patches
See the kernel suggested Guest Kernel config
Installation
Follow the Kata installation instructions.
Issues & limitations
More information Limitations