Skip to content

How to Fix CVE-2024-21626 Vulnerability

On February 1, 2024, the runc community publicly announced a security advisory for runc container escape, identified as CVE-2024-21626 . The root cause of this vulnerability is due to an internal file descriptor leak in runc, allowing attackers to exploit the vulnerability and gain unauthorized access to the entire file system of the host where the container is located.

DCE 5.0 Installer has released v0.15.2, which upgrades the containerd version to 1.7.13 and the runc version to v1.1.12 . This means that clusters created in the DCE 5.0 environment based on v0.15.2 are not affected by this vulnerability.

Note

After upgrading to v0.15.2, the supported cluster versions have been updated from v1.26.0 ~ v1.29.0 to v1.27.0 ~ v0.29.1.

Solution

Prerequisites

Confirm the scope of the cluster, which can be done in the following two ways:

  • If the cluster version is v1.27.0 ~ v0.29.1, follow the Upgrade DCE 5.0 Components guide for upgrading. After a successful upgrade, refer to the steps below for Updating Component Versions Configuration and Issuing Component Upgrade Tasks.
  • Visit kubean to view the released artifacts, and choose the specific artifact version based on the actual situation. The supported artifact versions and corresponding cluster version ranges are as follows:

    Artifact Version Supported k8s DCE 5.0 Support Notes
    release-2.21 v1.23.0 ~ v1.25.6 Installer v0.14.0+ The community currently does not support the upgrade of the runc component in this artifact package.
    release-2.22 v1.24.0 ~ v1.26.9 Installer v0.15.0+ Supports the latest runc, containerd
    release-2.23 v1.25.0 ~ v1.27.7 Expected Installer v0.16.0+ Expected support in April

    Therefore, only the release-2.22 artifact package currently supports containerd, runc upgrades . Hence, for cluster versions v1.24.0 ~ v1.26, follow all the steps below.

This article demonstrates the offline deployment of a K8s cluster version v1.24.14, upgrading the containerd version from 1.7.1 to 1.7.13 , and the runc version from v1.1.7 to v1.1.12 . Therefore, choose the release-2.22 artifact.

Steps

  1. Define environment variables: minio address and username/password

    MINIO_USER="rootuser"
    MINIO_PASS="rootpass123"
    MINIO_ADDR="http://172.30.**.***:9000"
    
  2. Define environment variable: airgap-patch image address

    AIRGAP_PATCH_IMG="ghcr.m.daocloud.io/kubean-io/airgap-patch:2.22-71b6fa1"
    
  3. Only create component packages for x86 architecture

    cat > "manifest.yml" <<EOF
    image_arch:
      - "amd64" ## "arm64"
    containerd_version:
      - "1.7.13"
    runc_version:
      - "v1.1.12"
    EOF
    
  4. Create offline package in an online environment

    podman run -e ZONE=CN \
        -v "$(pwd)/data/":/data/ \
        -v "$(pwd)/manifest.yml":/manifest.yml \
        ${AIRGAP_PATCH_IMG}
    
  5. Import binary package and offline images

    # Import binary package
    
    cd ./data/amd64/files/
    MINIO_USER="${MINIO_USER}" MINIO_PASS="${MINIO_PASS}" ./import_files.sh "${MINIO_ADDR}"
    
  6. Deploy the localartifactset.cr.yaml custom resource to the kubean-managed cluster or Global cluster , in this example, a Global cluster is used.

    kubectl apply -f data/localartifactset.cr.yaml
    

Updating Component Version Configuration

  1. Get the resource name of the cluster's hosts configmap

    kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.spec.varsConfRef}{'\n'}"
    {"name":"mini-1-vars-conf","namespace":"kubean-system"}
    
  2. Edit the cluster configuration file named mini-1-vars-conf to add the required component version information for updating. Here, update containerd to 1.7.13 and runc to v1.1.12.

    kubectl -n kubean-system edit cm mini-1-vars-conf
    
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: mini-1-vars-conf
      namespace: kubean-system
    data:
      group_vars.yml: |-
        unsafe_show_logs: true
        container_manager: containerd
        kube_version: v1.24.14        # (1)
        containerd_version: 1.7.13    # (2)
        runc_version: v1.1.12         # (3)
        kube_network_plugin: calico
        kube_network_plugin_multus: false
        kube_proxy_mode: iptables
        etcd_deployment_type: kubeadm
        override_system_hostname: true
        ntp_enabled: true
        ...
    

    1. Keep kube version same as current cluster version, add if not present
    2. Update containerd from original 1.7.1 to 1.7.13
    3. Update runc from original v1.1.7 to v1.1.12

Issuing Component Upgrade Tasks

  1. Get the name of the cluster

    # For example, if the resource name of clusters.kubean.io is cluster-mini-1
    # Get the cluster name
    CLUSTER_NAME=$(kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.metadata.name}{'\n'}")
    
  2. Get the resource name of the cluster configuration parameters configmap

    kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.spec.hostsConfRef}{'\n'}"
    {"name":"mini-1-hosts-conf","namespace":"kubean-system"}
    
  3. Upload the spray-job image to the offline container registry

    REGISTRY_ADDR="10.5.14.100"
    
    # Use accelerator address for the spray-job image
    SPRAY_IMG_ADDR="ghcr.io/kubean-io/spray-job:2.22-71b6fa1"
    
    # Skopeo parameters
    SKOPEO_PARAMS=" --insecure-policy -a --dest-tls-verify=false --retry-times=3 "
    
    skopeo copy ${SKOPEO_PARAMS} docker-archive:spray-job.tar docker://${REGISTRY_ADDR}/${SPRAY_IMG_ADDR}
    
  4. Create the corresponding upgrade task

    SPRAY_IMG_ADDR="10.5.14.100/ghcr.io/kubean-io/spray-job"
    SPRAY_TAG="2.22-71b6fa1"
    CLUSTER_NAME="fu-113-42-old"
    
    cat << EOF | kubectl apply -f -
    ---
    apiVersion: kubean.io/v1alpha1
    kind: ClusterOperation
    metadata:
      name: cluster-mini-1-upgrades
    spec:
      cluster: ${CLUSTER_NAME}
      image: ${SPRAY_IMG_ADDR}:${SPRAY_TAG}
      actionType: playbook
      action: upgrade-cluster.yml
      postHook:
        - actionType: playbook
          action: cluster-info.yml
    EOF
    
  5. Check the component upgrade results

    # runc version
    runc --version
    
    # containerd version
    containerd --version
    

Comments