Skip to content

How to Fix CVE-2024-21626 Vulnerability

On February 1, 2024, the runc community publicly announced a security advisory for runc container escape, identified as CVE-2024-21626 . The root cause of this vulnerability is due to an internal file descriptor leak in runc, allowing attackers to exploit the vulnerability and gain unauthorized access to the entire file system of the host where the container is located.

DCE 5.0 Installer has released version v0.15.2, which upgrades the containerd version to 1.7.13 and the runc version to v1.1.12 . This means that clusters created in the DCE 5.0 environment based on version v0.15.2 are not affected by this vulnerability.

Note

After upgrading to version v0.15.2, the supported cluster versions have been updated from v1.26.0 ~ v1.29.0 to v1.27.0 ~ v0.29.1.

Solution

Prerequisites

Confirm the scope of the cluster, which can be done in the following two ways:

  • If the cluster version is v1.27.0 ~ v0.29.1, follow the Upgrade DCE 5.0 Components guide for upgrading. After a successful upgrade, refer to the steps below for Updating Component Versions Configuration and Issuing Component Upgrade Tasks.

  • Visit kubean to view the released artifacts, and choose the specific artifact version based on the actual situation. The supported artifact versions and corresponding cluster version ranges are as follows:

    Artifact Version Supported k8s DCE 5.0 Support Notes
    release-2.21 v1.23.0 ~ v1.25.6 Installer v0.14.0+ The community currently does not support the upgrade of the runc component in this artifact package.
    release-2.22 v1.24.0 ~ v1.26.9 Installer v0.15.0+ Supports the latest runc, containerd
    release-2.23 v1.25.0 ~ v1.27.7 Expected Installer v0.16.0+ Expected support in April

    Therefore, only the release-2.22 artifact package currently supports containerd, runc upgrades . Hence, for cluster versions v1.24.0 ~ v1.26, follow all the steps below.

This article demonstrates the offline deployment of a K8s cluster version v1.24.14, upgrading the containerd version from 1.7.1 to 1.7.13 , and the runc version from v1.1.7 to v1.1.12 . Therefore, choose the release-2.22 artifact.

Steps

  1. Define environment variables: minio address and username/password

    MINIO_USER="rootuser"
MINIO_PASS="rootpass123"
MINIO_ADDR="http://172.30.**.***:9000"

  2. Define environment variable: airgap-patch image address

    AIRGAP_PATCH_IMG="ghcr.m.daocloud.io/kubean-io/airgap-patch:2.22-71b6fa1"

  3. Only create component packages for x86 architecture

    cat > "manifest.yml" <<EOF
image_arch:
  - "amd64" ## "arm64"
containerd_version:
  - "1.7.13"
runc_version:
  - "v1.1.12"
EOF

  4. Create offline package in an online environment

    podman run -e ZONE=CN \
    -v "$(pwd)/data/":/data/ \
    -v "$(pwd)/manifest.yml":/manifest.yml \
    ${AIRGAP_PATCH_IMG}

  5. Import binary package and offline images

    # Import binary package

cd ./data/amd64/files/
MINIO_USER="${MINIO_USER}" MINIO_PASS="${MINIO_PASS}" ./import_files.sh "${MINIO_ADDR}"

  6. Deploy the localartifactset.cr.yaml custom resource to the kubean-managed cluster or Global cluster , in this example, a Global cluster is used.

    kubectl apply -f data/localartifactset.cr.yaml

Updating Component Version Configuration

  1. Get the resource name of the cluster's hosts configmap

    kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.spec.varsConfRef}{'\n'}"
{"name":"mini-1-vars-conf","namespace":"kubean-system"}

  2. Edit the cluster configuration file named mini-1-vars-conf to add the required component version information for updating. Here, update containerd to 1.7.13 and runc to v1.1.12.

    $ kubectl -n kubean-system edit cm mini-1-vars-conf

    apiVersion: v1
kind: ConfigMap
metadata:
  name: mini-1-vars-conf
  namespace: kubean-system
data:
  group_vars.yml: |-
    unsafe_show_logs: true
    container_manager: containerd
    kube_version: v1.24.14        # (1)
    containerd_version: 1.7.13    # (2)
    runc_version: v1.1.12         # (3)
    kube_network_plugin: calico
    kube_network_plugin_multus: false
    kube_proxy_mode: iptables
    etcd_deployment_type: kubeadm
    override_system_hostname: true
    ntp_enabled: true
    ...

    1. Keep kube version same as current cluster version, add if not present
    2. Update containerd from original 1.7.1 to 1.7.13
    3. Update runc from original v1.1.7 to v1.1.12

Issuing Component Upgrade Tasks

  1. Get the name of the cluster

    # For example, if the resource name of clusters.kubean.io is cluster-mini-1
# Get the cluster name
CLUSTER_NAME=$(kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.metadata.name}{'\n'}")

  2. Get the resource name of the cluster configuration parameters configmap

    kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.spec.hostsConfRef}{'\n'}"
{"name":"mini-1-hosts-conf","namespace":"kubean-system"}

  3. Upload the spray-job image to the offline image repository

    REGISTRY_ADDR="10.5.14.100"

# Use accelerator address for the spray-job image
SPRAY_IMG_ADDR="ghcr.io/kubean-io/spray-job:2.22-71b6fa1"

# Skopeo parameters
SKOPEO_PARAMS=" --insecure-policy -a --dest-tls-verify=false --retry-times=3 "

skopeo copy ${SKOPEO_PARAMS} docker-archive:spray-job.tar docker://${REGISTRY_ADDR}/${SPRAY_IMG_ADDR}

  4. Create the corresponding upgrade task

    SPRAY_IMG_ADDR="10.5.14.100/ghcr.io/kubean-io/spray-job"
SPRAY_TAG="2.22-71b6fa1"
CLUSTER_NAME="fu-113-42-old"

cat << EOF | kubectl apply -f -
---
apiVersion: kubean.io/v1alpha1
kind: ClusterOperation
metadata:
  name: cluster-mini-1-upgrades
spec:
  cluster: ${CLUSTER_NAME}
  image: ${SPRAY_IMG_ADDR}:${SPRAY_TAG}
  actionType: playbook
  action: upgrade-cluster.yml
  postHook:
    - actionType: playbook
      action: cluster-info.yml
EOF

  5. Check the component upgrade results

    # runc version
runc --version

# containerd version
containerd --version

Comments