FS#68323 - [containerd] 1.4.1-1 listens on random port for CRI streaming server by default.
Attached to Project:
Community Packages
Opened by Robert Edstrom (Legogris) - Sunday, 18 October 2020, 16:23 GMT
Last edited by Morten Linderud (Foxboron) - Monday, 30 November 2020, 13:01 GMT
Opened by Robert Edstrom (Legogris) - Sunday, 18 October 2020, 16:23 GMT
Last edited by Morten Linderud (Foxboron) - Monday, 30 November 2020, 13:01 GMT
|
Details
Description: containerd listens on random port for CRI
streaming server by default.
This is not needed for docker, or when run as a subprocess, but is required for some kubernetes streaming functionality. My limited understanding is that there has been no known exploit, or security issues without authentication info being compromised, but it clearly should be disabled by default for non-kubernetes use. It can be disabled by adding `disabled_plugins = ["cri"]` to config - maybe (not sure) it can also be done by env var in the systemd service file. Additional info: * package version: containerd-1.4.1-1 * Comment on CoreOS issue: https://github.com/containerd/containerd/issues/2483#issuecomment-437025011 * docker issue: https://github.com/docker/engine/pull/29 Steps to reproduce: Install and start docker and containerd. `# netstat -tanpul | grep LISTEN | grep containerd` |
This task depends upon
Closed by Morten Linderud (Foxboron)
Monday, 30 November 2020, 13:01 GMT
Reason for closing: Not a bug
Additional comments about closing: cri interface should be available.
Monday, 30 November 2020, 13:01 GMT
Reason for closing: Not a bug
Additional comments about closing: cri interface should be available.
The issue above gives some context on this and why upstream thinks it should be off by default but on is still the current default behaviour.
CRI is disabled by default when installing containerd from main repos from Debian, Ubuntu, and the Docker repos/packages/install scripts. (These are the only ones I've checked)
Would it make sense to consider an alternative containerd-docker package that is identical apart from this configuration?
It's common for other major Arch packages to supply some form of default config, which may differ from binary defaults.
But if it's a principled hard stance from maintainers that this is the way it is for containerd, I guess there's nothing more to it.