search

labring / sealos

Sealos is a production-ready Kubernetes distribution that provides a one-stop solution for both public and private cloud. https://sealos.io
https://cloud.sealos.io
Apache License 2.0
13.29k stars 2.02k forks source link

How to change the runc version in an image of labring/kubernetes or labring/kubernetes-docker #4524

Open use-epoll opened 4 months ago

use-epoll commented 4 months ago

What is the problem this feature will solve?

runc < 1.1.11 has CVE-2024-21626, a container breakout attack that took advantage of a file descriptor that was leaked internally within runc (but never leaked to the container process). runc 1.1.12 fix it

If you have solution,please describe it

runc 1.1.12 fix it

What alternatives have you considered?

No response

stale[bot] commented 2 months ago

This issue has been automatically closed because we haven't heard back for more than 60 days, please reopen this issue if necessary.

willzhang commented 2 months ago

By default, these binary files have already been packaged into the image. There may be a solution:

  1. Upgrade image Version which have latest version of runc
  2. Create your own image
  3. Using the sealos merge command to replace the cri containerd. tar. gz in the official image

Package project path: https://github.com/labring-actions/runtime/blob/main/containerd/scripts/init-containerd.sh

Check where runc location

root@node40:~# sealos create  registry.cn-shanghai.aliyuncs.com/labring/kubernetes:v1.29.3
2024-04-21T17:00:07 info Shell command: export registryPassword="passw0rd" disableApparmor="false" SEALOS_SYS_CRI_ENDPOINT="/var/run/containerd/containerd.sock" registryData="/var/lib/registry" registryConfig="/etc/registry" registryDomain="sealos.hub" SEALOS_SYS_IMAGE_ENDPOINT="/var/run/image-cri-shim.sock" defaultVIP="10.103.97.2" criData="/var/lib/containerd" registryPort="5000" sandboxImage="pause:3.9" registryUsername="admin" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ; 
2024-04-21T17:00:07 info Mount point: /var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged
root@node40:~# 
root@node40:~# 
root@node40:~# cd /var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged# ls
bin  cri  etc  images  Kubefile  opt  README.md  registry  scripts  statics
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged# 
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged# cd cri/
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged/cri# ls
cri-containerd.tar.gz  image-cri-shim  libseccomp.tar.gz  registry
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged/cri# tar -zxvf cri-containerd.tar.gz 
usr/
usr/bin/
usr/bin/runc
usr/bin/ctr
usr/bin/containerd
usr/bin/containerd-shim
usr/bin/containerd-shim-runc-v2
usr/bin/containerd-shim-runc-v1
usr/bin/containerd-stress
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged/cri#

You can create a separate sealos image that only contains cri containerd. tar. gz, and then use the sealos merge command to merge it into the official image to overwrite the cri containerd. tar. gz in the official image

stale[bot] commented 1 week ago

This issue has been automatically closed because we haven't heard back for more than 60 days, please reopen this issue if necessary.