RHBA-2017:0949 - Bug Fix Advisory

Topic

Updated oci-systemd-hook packages that fix several bugs are now available for Red Hat Enterprise Linux 7 Extras.

Description

The Open Container Initiative (OCI) systemd hook enables users to run systemd in docker and OCI compatible runtimes such as runc without requiring the "--privileged" flag.

This update fixes several bugs, including:

• Previously, oci-systemd-hook incorrectly ran with the container_t SELinux label. This caused the "systemctl is-active" command to show failures and SELinux errors when using a MariaDB container. This bug has been fixed, and MariaDB containers now start as expected. (BZ#1419040)
• Previously, oci-systemd-hook read the entire JSON-formatted container configuration into a fixed-size buffer. This imposed a limit on the size of container configuration that oci-systemd-hook can handle. Consequently, if container configuration was 65536 bytes or more, oci-systemd-hook logged error message

systemdhook <error>: config file too big

and the container failed to start. With this update, buffer for configuration is allocated dynamically, so there is no more limit on configuration size, and containers with large configurations start as expected. (BZ#1431856)

Users of oci-systemd-hook are advised to upgrade to these updated packages, which fix these bugs.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64

Fixes

• BZ - 1419040 - The change to /var/log mounting breaks the running of services that require a folder in /var/log created at docker build time
• BZ - 1439382 - avc when running systemd container

CVEs

(none)

References

(none)