Open use-epoll opened 4 months ago
This issue has been automatically closed because we haven't heard back for more than 60 days, please reopen this issue if necessary.
By default, these binary files have already been packaged into the image. There may be a solution:
Package project path: https://github.com/labring-actions/runtime/blob/main/containerd/scripts/init-containerd.sh
Check where runc
location
root@node40:~# sealos create registry.cn-shanghai.aliyuncs.com/labring/kubernetes:v1.29.3
2024-04-21T17:00:07 info Shell command: export registryPassword="passw0rd" disableApparmor="false" SEALOS_SYS_CRI_ENDPOINT="/var/run/containerd/containerd.sock" registryData="/var/lib/registry" registryConfig="/etc/registry" registryDomain="sealos.hub" SEALOS_SYS_IMAGE_ENDPOINT="/var/run/image-cri-shim.sock" defaultVIP="10.103.97.2" criData="/var/lib/containerd" registryPort="5000" sandboxImage="pause:3.9" registryUsername="admin" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ;
2024-04-21T17:00:07 info Mount point: /var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged
root@node40:~#
root@node40:~#
root@node40:~# cd /var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged# ls
bin cri etc images Kubefile opt README.md registry scripts statics
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged#
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged# cd cri/
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged/cri# ls
cri-containerd.tar.gz image-cri-shim libseccomp.tar.gz registry
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged/cri# tar -zxvf cri-containerd.tar.gz
usr/
usr/bin/
usr/bin/runc
usr/bin/ctr
usr/bin/containerd
usr/bin/containerd-shim
usr/bin/containerd-shim-runc-v2
usr/bin/containerd-shim-runc-v1
usr/bin/containerd-stress
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged/cri#
You can create a separate sealos image that only contains cri containerd. tar. gz, and then use the sealos merge
command to merge it into the official image to overwrite the cri containerd. tar. gz
in the official image
This issue has been automatically closed because we haven't heard back for more than 60 days, please reopen this issue if necessary.
What is the problem this feature will solve?
runc < 1.1.11 has CVE-2024-21626, a container breakout attack that took advantage of a file descriptor that was leaked internally within runc (but never leaked to the container process). runc 1.1.12 fix it
If you have solution,please describe it
runc 1.1.12 fix it
What alternatives have you considered?
No response