Skip to content

fix(deps): update ghcr.io/codize-dev/nsjail:latest docker digest to d38c6f4#80

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/ghcr.io-codize-dev-nsjail-latest
Open

fix(deps): update ghcr.io/codize-dev/nsjail:latest docker digest to d38c6f4#80
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/ghcr.io-codize-dev-nsjail-latest

Conversation

@renovate

@renovate renovate Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
ghcr.io/codize-dev/nsjail stage digest fce880bd38c6f4

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
    • Only on Sunday and Saturday (* * * * 0,6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

Copy link
Copy Markdown

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Major Changes:

  • Core Scheduling Support Added: The update from digest fce880b to d38c6f4 includes three commits, with the primary change being the addition of Linux core scheduling support (PR #271 in google/nsjail)
  • Commit Range: a7246474c04831 (3 commits total)
  • Key Commit: 81784bf - Adds --use_core_scheduling flag that calls prctl(PR_SCHED_CORE_CREATE) to give each jail its own SMT scheduling group

Breaking Changes:

  • None: The core scheduling feature is:
    • Opt-in via --use_core_scheduling flag (defaults to false)
    • Protected by #ifdef PR_SCHED_CORE guards for compatibility with older kernel headers
    • Fully backward compatible with existing configurations

Security Fixes:

  • Enhanced Side-Channel Attack Mitigation: The core scheduling feature prevents sandboxed processes from sharing physical CPU cores with other tenants, mitigating L1TF/MDS side-channel attacks in multi-tenant environments
  • Requirements: Linux kernel >= 5.14 (feature is gracefully skipped on older kernels)

Additional Commits:

  • d6454b4: Merge pull request #271
  • 4c04831: Merge branch 'master' of github.com/google/nsjail (sync upstream)

🎯 Impact Scope Investigation

Usage Location Analysis:

  • Dockerfile Line 15: The nsjail base image is used as the foundation for the multi-stage Docker build
  • Base Image Purpose: Provides the nsjail binary (/bin/nsjail) and Debian bookworm-slim environment
  • No Direct Flag Usage: The codebase does not currently use the new --use_core_scheduling flag in:
    • internal/sandbox/configs/nsjail.cfg (static configuration)
    • internal/sandbox/execution.go (runtime argument building)
    • No references to PR_SCHED_CORE or use_core_scheduling found in the codebase

Impact on Dependencies:

  • Runtime Compatibility: No changes to existing runtime installations (Node.js, Ruby, Go, Python, Rust, Bash)
  • Configuration Files: Existing nsjail.cfg and seccomp.kafel remain fully compatible
  • API Compatibility: No changes to nsjail command-line arguments currently used by the sandbox
  • Resource Limits: No impact on cgroup, rlimit, or seccomp-bpf configurations

Impact on Existing Functionality:

  • Zero Breaking Impact: Since the new feature is opt-in and defaults to disabled, all existing sandbox behavior remains unchanged
  • Docker Build: Successfully pulled and verified new digest sha256:d38c6f4...
  • CI Status: Passing checks include hadolint, lint, build, unit tests, and security scans

💡 Recommended Actions

Immediate Actions:

  1. Safe to merge: This update can be merged immediately without any code modifications
  2. Wait for E2E tests: The E2E tests (ubuntu-latest and ubuntu-24.04-arm) are currently pending - recommend waiting for completion before merging
  3. Stability days requirement: Renovate's stability-days check is pending, indicating the update hasn't met the minimum release age requirement configured in the repository

Optional Future Enhancements:

  • Consider enabling core scheduling: The new --use_core_scheduling feature provides additional security hardening for multi-tenant environments. To enable:
    • Add use_core_scheduling: true to internal/sandbox/configs/nsjail.cfg, or
    • Add --use_core_scheduling flag in internal/sandbox/execution.go buildArgs()
  • Verify kernel version: Ensure the Docker host kernel is >= 5.14 if enabling core scheduling (feature gracefully degrades on older kernels)

No Migration Work Required:

  • No code changes needed
  • No configuration updates required
  • No breaking API changes
  • Existing nsjail invocations remain fully functional

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants