chore: install runc manually to update to go1.19.12

[svor]

What does this PR do?

Trying to fix
CVE-2023-29404
CVE-2023-24540
CVE-2023-24538
CVE-2023-29405
CVE-2023-29402

All of them are related to go binary that comes with runc tool.
After installing runc manually:

bash-4.4$ runc -v
runc version 1.1.4
spec: 1.0.2-dev
go: go1.19.12
libseccomp: 2.5.2

before

bash-4.4$ runc -v
runc version 1.1.4
spec: 1.0.2-dev
go: go1.19.4
libseccomp: 2.5.2

What issues does this PR fix or reference?

https://issues.redhat.com/browse/CRW-4585

Release Notes

Docs PR (if applicable)

[nickboldt]

Tested by launching the UDI 3.10 container:

podman run -it --rm --entrypoint /bin/bash --user root quay.io/devspaces/udi-rhel8:3.10

then:

sh-4.4# runc -v; echo "--"; go version
runc version 1.1.4
spec: 1.0.2-dev
go: go1.19.4
libseccomp: 2.5.2
--
go version go1.19.10 linux/amd64

then install runc:

dnf install golang runc -y

and we still have go 1.19.10 installed, but runc reports go1.19.12:

sh-4.4# runc -v; echo "--"; go version
runc version 1.1.4
spec: 1.0.2-dev
go: go1.19.12
libseccomp: 2.5.2
--
go version go1.19.10 linux/amd64

RPMs installed are:

golang 1.19.10-1.module+el8.8.0+19203+782922b7
runc 1:1.1.4-1.module+el8.8.0+19993+47c8ef84 

[svor]

@nickboldt current changes are for pluginregistry-rhel8 but not for UDI container.

In pluginregistry we don't have golang and we don't need to install it. All CVE issues are related to /usr/bin/runc

podman run -it --rm --entrypoint /bin/bash --user root quay.io/devspaces/pluginregistry-rhel8:3.10

then

bash-4.4# runc -v; echo "--"; go version
runc version 1.1.4
spec: 1.0.2-dev
go: go1.19.4
libseccomp: 2.5.2
--
bash: go: command not found

after installing runc (I don't want to install golang) dnf install runc -y

bash-4.4# runc -v; echo "--"; go version
runc version 1.1.4
spec: 1.0.2-dev
go: go1.19.12
libseccomp: 2.5.2
--
bash: go: command not found

We see go1.19.12 instead of go1.19.4

[nickboldt]

We see go1.19.12 instead of go1.19.4

So is that a "built with" declaration then?

[svor]

So is that a "built with" declaration then?

As I understand, it is

[devstudio-release]

Build 3.10 :: pluginregistry_3.x/256: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: sync-to-downstream_3.x/4937: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: get-sources-rhpkg-container-build_3.x/4759: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: push-latest-container-to-quay_3.x/3487: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: get-sources-rhpkg-container-build_3.x/4759:

pluginregistry : 3.x :: Build 56175350 : quay.io/devspaces/pluginregistry-rhel8:3.10-14
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.x/3487 triggered

[devstudio-release]

Build 3.10 :: update-digests_3.x/4596: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: pluginregistry_3.x/256:

Upstream sync done; /DS_CI/sync-to-downstream_3.x/4937 triggered

[devstudio-release]

Build 3.10 :: operator-bundle_3.x/2148: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: sync-to-downstream_3.x/4939: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: get-sources-rhpkg-container-build_3.x/4761: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: push-latest-container-to-quay_3.x/3488: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: copyIIBsToQuay/1997: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: get-sources-rhpkg-container-build_3.x/4761:

devspaces-operator-bundle : 3.x :: Build 56175886 : quay.io/devspaces/devspaces-operator-bundle:3.10-124
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.x/3488 triggered;

Bundle CSV related images:
- quay.io/devspaces/code-rhel8:3.10-79
- quay.io/devspaces/configbump-rhel8:3.10-12
- quay.io/devspaces/dashboard-rhel8:3.10-36
- quay.io/devspaces/devfileregistry-rhel8:3.10-66
- quay.io/devspaces/devspaces-rhel8-operator:3.10-13
- quay.io/devspaces/idea-rhel8:3.10-4
- quay.io/devspaces/pluginregistry-rhel8:3.10-14
- quay.io/devspaces/server-rhel8:3.10-18
- quay.io/devspaces/traefik-rhel8:3.10-6
- quay.io/devspaces/udi-rhel8:3.10-12
= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12.0-202309181625.p0.g94f3fde.assembly.stream
= registry.redhat.io/openshift4/ose-oauth-proxy:v4.12.0-202309181625.p0.g03e5b13.assembly.stream
= registry.redhat.io/rhscl/mongodb-36-rhel7:1-50
= registry.redhat.io/ubi8/ubi-minimal:8.8-1072.1696517598

[devstudio-release]

Build 3.10 :: sync-to-downstream_3.x/4939:

Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.x/4761 triggered; /job/DS_CI/job/dsc_3.x triggered;

[devstudio-release]

Build 3.10 :: operator-bundle_3.x/2148:

Upstream sync done; /DS_CI/sync-to-downstream_3.x/4939 triggered

[devstudio-release]

Build 3.10 :: dsc_3.x/1475: Console, Changes, Git Data

[devstudio-release]

Build 3.10 :: update-digests_3.x/4596:

Detected new images: rebuild operator-bundle
* pluginregistry; /DS_CI/operator-bundle_3.x/2148 triggered

[devstudio-release]

Build 3.10 :: dsc_3.x/1475:

3.10.0-CI