How to Fix CVE-2024-21626 Vulnerability¶
On February 1, 2024, the runc community publicly announced a security advisory for runc container escape, identified as CVE-2024-21626 . The root cause of this vulnerability is due to an internal file descriptor leak in runc, allowing attackers to exploit the vulnerability and gain unauthorized access to the entire file system of the host where the container is located.
DCE 5.0 Installer has released v0.15.2, which upgrades the containerd version to 1.7.13 and the runc version to v1.1.12 . This means that clusters created in the DCE 5.0 environment based on v0.15.2 are not affected by this vulnerability.
Note
After upgrading to v0.15.2, the supported cluster versions have been updated from v1.26.0 ~ v1.29.0 to v1.27.0 ~ v0.29.1.
Solution¶
Prerequisites¶
Confirm the scope of the cluster, which can be done in the following two ways:
- If the cluster version is v1.27.0 ~ v0.29.1, follow the Upgrade DCE 5.0 Components guide for upgrading. After a successful upgrade, refer to the steps below for Updating Component Versions Configuration and Issuing Component Upgrade Tasks.
-
Visit kubean to view the released artifacts, and choose the specific artifact version based on the actual situation. The supported artifact versions and corresponding cluster version ranges are as follows:
Artifact Version Supported k8s DCE 5.0 Support Notes release-2.21 v1.23.0 ~ v1.25.6 Installer v0.14.0+ The community currently does not support the upgrade of the runc component in this artifact package. release-2.22 v1.24.0 ~ v1.26.9 Installer v0.15.0+ Supports the latest runc, containerd release-2.23 v1.25.0 ~ v1.27.7 Expected Installer v0.16.0+ Expected support in April Therefore, only the release-2.22 artifact package currently supports containerd, runc upgrades . Hence, for cluster versions v1.24.0 ~ v1.26, follow all the steps below.
This article demonstrates the offline deployment of a K8s cluster version v1.24.14
, upgrading the containerd version from 1.7.1 to 1.7.13 , and the runc version from v1.1.7 to v1.1.12 . Therefore, choose the release-2.22
artifact.
Steps¶
Creating and Importing runc/containerd Related Offline Packages¶
-
Define environment variables: minio address and username/password
-
Define environment variable: airgap-patch image address
-
Only create component packages for x86 architecture
-
Create offline package in an online environment
-
Import binary package and offline images
-
Deploy the
localartifactset.cr.yaml
custom resource to the kubean-managed cluster or Global cluster , in this example, a Global cluster is used.
Updating Component Version Configuration¶
-
Get the resource name of the cluster's hosts configmap
-
Edit the cluster configuration file named
mini-1-vars-conf
to add the required component version information for updating. Here, update containerd to1.7.13
and runc tov1.1.12
.apiVersion: v1 kind: ConfigMap metadata: name: mini-1-vars-conf namespace: kubean-system data: group_vars.yml: |- unsafe_show_logs: true container_manager: containerd kube_version: v1.24.14 # (1) containerd_version: 1.7.13 # (2) runc_version: v1.1.12 # (3) kube_network_plugin: calico kube_network_plugin_multus: false kube_proxy_mode: iptables etcd_deployment_type: kubeadm override_system_hostname: true ntp_enabled: true ...
- Keep kube version same as current cluster version, add if not present
- Update containerd from original 1.7.1 to 1.7.13
- Update runc from original v1.1.7 to v1.1.12
Issuing Component Upgrade Tasks¶
-
Get the name of the cluster
-
Get the resource name of the cluster configuration parameters configmap
-
Upload the spray-job image to the offline container registry
REGISTRY_ADDR="10.5.14.100" # Use accelerator address for the spray-job image SPRAY_IMG_ADDR="ghcr.io/kubean-io/spray-job:2.22-71b6fa1" # Skopeo parameters SKOPEO_PARAMS=" --insecure-policy -a --dest-tls-verify=false --retry-times=3 " skopeo copy ${SKOPEO_PARAMS} docker-archive:spray-job.tar docker://${REGISTRY_ADDR}/${SPRAY_IMG_ADDR}
-
Create the corresponding upgrade task
SPRAY_IMG_ADDR="10.5.14.100/ghcr.io/kubean-io/spray-job" SPRAY_TAG="2.22-71b6fa1" CLUSTER_NAME="fu-113-42-old" cat << EOF | kubectl apply -f - --- apiVersion: kubean.io/v1alpha1 kind: ClusterOperation metadata: name: cluster-mini-1-upgrades spec: cluster: ${CLUSTER_NAME} image: ${SPRAY_IMG_ADDR}:${SPRAY_TAG} actionType: playbook action: upgrade-cluster.yml postHook: - actionType: playbook action: cluster-info.yml EOF
-
Check the component upgrade results