FS#68323 - [containerd] 1.4.1-1 listens on random port for CRI streaming server by default.

Attached to Project: Community Packages
Opened by Robert Edstrom (Legogris) - Sunday, 18 October 2020, 16:23 GMT
Last edited by Morten Linderud (Foxboron) - Monday, 30 November 2020, 13:01 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Morten Linderud (Foxboron)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description: containerd listens on random port for CRI streaming server by default.

This is not needed for docker, or when run as a subprocess, but is required for some kubernetes streaming functionality. My limited understanding is that there has been no known exploit, or security issues without authentication info being compromised, but it clearly should be disabled by default for non-kubernetes use.

It can be disabled by adding `disabled_plugins = ["cri"]` to config - maybe (not sure) it can also be done by env var in the systemd service file.

Additional info:
* package version: containerd-1.4.1-1
* Comment on CoreOS issue: https://github.com/containerd/containerd/issues/2483#issuecomment-437025011
* docker issue: https://github.com/docker/engine/pull/29


Steps to reproduce:
Install and start docker and containerd.

`# netstat -tanpul | grep LISTEN | grep containerd`
This task depends upon

Closed by  Morten Linderud (Foxboron)
Monday, 30 November 2020, 13:01 GMT
Reason for closing:  Not a bug
Additional comments about closing:  cri interface should be available.
Comment by Morten Linderud (Foxboron) - Sunday, 18 October 2020, 18:08 GMT
We don't change anything downstream. If upstream thinks this should be on by default, then that is how we package it.
Comment by Robert Edstrom (Legogris) - Sunday, 18 October 2020, 19:44 GMT
containerd maintainers do take the (IMO a bit odd) stance that it should be off by default when just running with Docker but on with kubernetes, still leaving the default as on and leaving it to distros/operators to supply reasonable default configuration. Reading the containerd documentation, it does seem to imply an expectation of a configuration at /etc/containerd/config.toml.

The issue above gives some context on this and why upstream thinks it should be off by default but on is still the current default behaviour.

CRI is disabled by default when installing containerd from main repos from Debian, Ubuntu, and the Docker repos/packages/install scripts. (These are the only ones I've checked)

Would it make sense to consider an alternative containerd-docker package that is identical apart from this configuration?

It's common for other major Arch packages to supply some form of default config, which may differ from binary defaults.

But if it's a principled hard stance from maintainers that this is the way it is for containerd, I guess there's nothing more to it.
Comment by Morten Linderud (Foxboron) - Thursday, 22 October 2020, 18:25 GMT
Whats the output of the given command you gave in the issue?
Comment by Robert Edstrom (Legogris) - Thursday, 22 October 2020, 18:46 GMT
tcp 0 0 127.0.0.1:45608 0.0.0.0:* LISTEN 783/containerd
Comment by Morten Linderud (Foxboron) - Thursday, 22 October 2020, 18:49 GMT
Why is it a problem that the local port is open? I haven't found other distributions default disabling cri.

Loading...