search

vulhub / vulhub

Pre-Built Vulnerable Environments Based on Docker-Compose
https://vulhub.org
MIT License
17.67k stars 4.45k forks source link

[BUG & Potential Solutions] Some of Vulhub Environment May Not Starting in cgroup v2 #557

Open neargle opened 2 weeks ago

neargle commented 2 weeks ago

I was reading the documentation for CgroupV2 recently, so I thought that the vulhub environment might be affected. The migration from cgroup v1 to cgroup v2 is a general trend, as cgroup v2 offers improvements in resource control and provides a unified hierarchy. However, some environments in Vulhub rely strongly on cgroup v1, leading to issues when running on systems that use cgroup v2 by default (Linux and Kernel of new version use CgroupV2 by default).

Bug Description In the environment for the "docker daemon API unauthorized access vulnerability," the Docker daemon (dockerd) version is 18.03.0-ce, which uses cgroup v1 by default and does not support cgroup v2. Therefore, when attempting to start the Vulhub environment on a system using cgroup v2, an error occurs.

Below is the full log of error:

WARNING: the "devices" cgroup should be in its own hierarchy.
WARNING: it looks like the "devices" cgroup is not mounted.
WARN[2024-10-05T15:09:55.408843886Z] could not change group /var/run/docker.sock to docker: group docker not found
WARN[2024-10-05T15:09:55.408984854Z] [!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]
INFO[2024-10-05T15:09:55.409797972Z] libcontainerd: started new docker-containerd process  pid=48
INFO[0000] starting containerd                           module=containerd revision=cfd04396dc68220d1cecbe686a6cc3aa5ce3667c version=v1.0.2
INFO[0000] loading plugin "io.containerd.content.v1.content"...  module=containerd type=io.containerd.content.v1
INFO[0000] loading plugin "io.containerd.snapshotter.v1.btrfs"...  module=containerd type=io.containerd.snapshotter.v1
WARN[0000] failed to load plugin io.containerd.snapshotter.v1.btrfs  error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter" module=containerd
INFO[0000] loading plugin "io.containerd.snapshotter.v1.overlayfs"...  module=containerd type=io.containerd.snapshotter.v1
INFO[0000] loading plugin "io.containerd.metadata.v1.bolt"...  module=containerd type=io.containerd.metadata.v1
WARN[0000] could not use snapshotter btrfs in metadata plugin  error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter" module="containerd/io.containerd.metadata.v1.bolt"
INFO[0000] loading plugin "io.containerd.differ.v1.walking"...  module=containerd type=io.containerd.differ.v1
INFO[0000] loading plugin "io.containerd.gc.v1.scheduler"...  module=containerd type=io.containerd.gc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.containers"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.content"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.diff"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.events"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.healthcheck"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.images"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.leases"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.namespaces"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.snapshots"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.monitor.v1.cgroups"...  module=containerd type=io.containerd.monitor.v1
INFO[0000] loading plugin "io.containerd.runtime.v1.linux"...  module=containerd type=io.containerd.runtime.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.tasks"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.version"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.introspection"...  module=containerd type=io.containerd.grpc.v1
INFO[0000] serving...                                    address="/var/run/docker/containerd/docker-containerd-debug.sock" module="containerd/debug"
INFO[0000] serving...                                    address="/var/run/docker/containerd/docker-containerd.sock" module="containerd/grpc"
INFO[0000] containerd successfully booted in 0.003339s   module=containerd
INFO[2024-10-05T15:09:55.438998103Z] [graphdriver] using prior storage driver: overlay2
INFO[2024-10-05T15:09:55.458210278Z] Graph migration to content-addressability took 0.00 seconds
WARN[2024-10-05T15:09:55.458755021Z] Your kernel does not support cgroup memory limit
WARN[2024-10-05T15:09:55.458809364Z] Unable to find cpu cgroup in mounts
WARN[2024-10-05T15:09:55.458815973Z] Unable to find blkio cgroup in mounts
WARN[2024-10-05T15:09:55.458819288Z] Unable to find cpuset cgroup in mounts
WARN[2024-10-05T15:09:55.458866471Z] mountpoint for pids not found
Error starting daemon: Devices cgroup isn't mounted

Core Issue: The primary reason for the error is the difference in directory structure between cgroup v1 and cgroup v2. dockerd cannot find the cgroup directory it expects, leading to the failure.

Impact and Possible Solutions:

  1. (Recommend) Upgrade Docker Version: Upgrading the Docker version to one that supports cgroup v2 could be a solution. However, there is uncertainty about whether other environments in Vulhub will be affected by CGroupV2. Such as https://hub.docker.com/_/docker

  2. Configure Container Runtime Force to Use cgroup v1: Users can be guided to configure their container runtime and operating system to use cgroup v1 by default before starting the container. This workaround would enable the environment to function as expected, but it comes with drawbacks:

    • It reduces the out-of-the-box value of Vulhub, as users need to modify their infrastructure.
    • It increases the threshold for use, which contrasts with the purpose of Vulhub, which is to easily start vulnerability environments without modifying the underlying setup.

Discussion: I would appreciate input from the community regarding the best approach to solve this issue. Should we prioritize upgrading the Docker versions used in Vulhub or focus on maintaining compatibility with both cgroup v1 and v2?

neargle commented 2 weeks ago

cc https://github.com/vulhub/vulhub/issues/409

neargle commented 2 weeks ago

Temporary solution: docker run --privileged -d docker:dind dockerd --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2376