How to Fix CVE-2024-21626 Vulnerability¶

On February 1, 2024, the runc community publicly announced a security advisory for runc container escape, identified as CVE-2024-21626 . The root cause of this vulnerability is due to an internal file descriptor leak in runc, allowing attackers to exploit the vulnerability and gain unauthorized access to the entire file system of the host where the container is located.

DCE 5.0 Installer has released version v0.15.2, which upgrades the containerd version to 1.7.13 and the runc version to v1.1.12 . This means that clusters created in the DCE 5.0 environment based on version v0.15.2 are not affected by this vulnerability.

Solution¶

Prerequisites¶

Confirm the scope of the cluster, which can be done in the following two ways:

• If the cluster version is v1.27.0 ~ v0.29.1, follow the Upgrade DCE 5.0 Components guide for upgrading. After a successful upgrade, refer to the steps below for Updating Component Versions Configuration and Issuing Component Upgrade Tasks.

• Visit kubean to view the released artifacts, and choose the specific artifact version based on the actual situation. The supported artifact versions and corresponding cluster version ranges are as follows:

  Artifact Version	Supported Cluster Range	DCE 5.0 Support	Notes
  release-2.21	v1.23.0 ~ v1.25.6	Installer v0.14.0+	The community currently does not support the upgrade of the runc component in this artifact package.
  release-2.22	v1.24.0 ~ v1.26.9	Installer v0.15.0+	Supports the latest runc, containerd
  release-2.23	v1.25.0 ~ v1.27.7	Expected Installer v0.16.0+	Expected support in April

  Therefore, only the release-2.22 artifact package currently supports containerd, runc upgrades . Hence, for cluster versions v1.24.0 ~ v1.26, follow all the steps below.

This article demonstrates the offline deployment of a K8s cluster version v1.24.14, upgrading the containerd version from 1.7.1 to 1.7.13 , and the runc version from v1.1.7 to v1.1.12 . Therefore, choose the release-2.22 artifact.

Steps¶

Creating and Importing runc/containerd Related Offline Packages¶

1. Define environment variables: minio address and username/password

   MINIO_USER="rootuser"
   MINIO_PASS="rootpass123"
   MINIO_ADDR="http://172.30.**.***:9000"
   

2. Define environment variable: airgap-patch image address

   AIRGAP_PATCH_IMG="ghcr.m.daocloud.io/kubean-io/airgap-patch:2.22-71b6fa1"
   

3. Only create component packages for x86 architecture

   cat > "manifest.yml" <<EOF
   image_arch:
     - "amd64" ## "arm64"
   containerd_version:
     - "1.7.13"
   runc_version:
     - "v1.1.12"
   EOF
   

4. Create offline package in an online environment

   podman run -e ZONE=CN \
       -v "$(pwd)/data/":/data/ \
       -v "$(pwd)/manifest.yml":/manifest.yml \
       ${AIRGAP_PATCH_IMG}
   

5. Import binary package and offline images

   # Import binary package
   
   cd ./data/amd64/files/
   
   MINIO_USER="${MINIO_USER}" MINIO_PASS="${MINIO_PASS}" ./import_files.sh "${MINIO_ADDR}"
   

6. Deploy the localartifactset.cr.yaml custom resource to the kubean-managed cluster or Global cluster , in this example, a Global cluster is used.

   kubectl apply -f data/localartifactset.cr.yaml
   

Updating Component Version Configuration¶

1. Get the resource name of the cluster's hosts configmap

   kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.spec.varsConfRef}{'\n'}"
   {"name":"mini-1-vars-conf","namespace":"kubean-system"}
   

2. Edit the cluster configuration file named mini-1-vars-conf to add the required component version information for updating. Here, update containerd to 1.7.13 and runc to v1.1.12.

   $ kubectl -n kubean-system edit cm mini-1-vars-conf
   
   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: mini-1-vars-conf
     namespace: kubean-system
   data:
     group_vars.yml: |-
       unsafe_show_logs: true
       container_manager: containerd
       kube_version: v1.24.14        # Keep kube version same as current cluster version, add if not present
       containerd_version: 1.7.13    # Update containerd from original 1.7.1 to 1.7.13
       runc_version: v1.1.12         # Update runc from original v1.1.7 to v1.1.12
       kube_network_plugin: calico
       kube_network_plugin_multus: false
       kube_proxy_mode: iptables
       etcd_deployment_type: kubeadm
       override_system_hostname: true
       ntp_enabled: true
       ...
   

Issuing Component Upgrade Tasks¶

1. Get the name of the cluster

   # For example, if the resource name of clusters.kubean.io is cluster-mini-1
   # Get the cluster name
   CLUSTER_NAME=$(kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.metadata.name}{'\n'}")
   

2. Get the resource name of the cluster configuration parameters configmap

   kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.spec.hostsConfRef}{'\n'}"
   {"name":"mini-1-hosts-conf","namespace":"kubean-system"}
   

3. Upload the spray-job image to the offline image repository

   REGISTRY_ADDR="10.5.14.100"
   
   # Use accelerator address for the spray-job image
   SPRAY_IMG_ADDR="ghcr.io/kubean-io/spray-job:2.22-71b6fa1"
   
   # Skopeo parameters
   SKOPEO_PARAMS=" --insecure-policy -a --dest-tls-verify=false --retry-times=3 "
   
   skopeo copy ${SKOPEO_PARAMS} docker-archive:spray-job.tar docker://${REGISTRY_ADDR}/${SPRAY_IMG_ADDR}
   

4. Create the corresponding upgrade task

   SPRAY_IMG_ADDR="10.5.14.100/ghcr.io/kubean-io/spray-job"
   SPRAY_TAG="2.22-71b6fa1"
   CLUSTER_NAME="fu-113-42-old"
   
   cat << EOF | kubectl apply -f -
   ---
   apiVersion: kubean.io/v1alpha1
   kind: ClusterOperation
   metadata:
     name: cluster-mini-1-upgrades
   spec:
     cluster: ${CLUSTER_NAME}
     image: ${SPRAY_IMG_ADDR}:${SPRAY_TAG}
     actionType: playbook
     action: upgrade-cluster.yml
     postHook:
       - actionType: playbook
         action: cluster-info.yml
   EOF
   

5. Check the component upgrade results

   # runc version
   runc --version
   
   # containerd version
   containerd --version
   

Comments