Bug Fix Announcement
Runc Container Escape Vulnerability Repair Scheme (CVE-2019-5736)
Solution
The following three methods can be used to choose the appropriate way to fix the security vulnerability:
1.Create a new Kubernetes cluster. The docker version of kubernetes 1.11.5 has been updated to 18.09.2, which has fixed the vulnerability.
2.Replace the nodes, expand the capacity of new nodes in the cluster, and shrink the old nodes after the container drift is stable. Docker-runc of the expansion node has fixed the vulnerability. This scheme will cause container drift and business flow risk. When nodes are added to 1.8 inventory cluster, the docker version of the new node does not change, the runc has been patched with vulnerabilities, and the docker of the new expansion node of the inventory cluster 1.11.1 and above has been updated to version 18.09.2 as a whole.
3.Upgrade runc separately (the above two schemes are recommended for GPU cluster of 1.11). From docker-18, docker runc is renamed runc, and the following scheme is for the version before docker-18.
-
Locate the docker-runc location and back up.
$ which docker-runc # Normally/usr/bin/docker-runc $ mv /usr/bin/docker-runc /usr/bin/docker-runc.orig.$(date -Iseconds) -
Perform the following to download the repaired runc.
$ curl -o /usr/bin/docker-runc https://baidu-container.cdn.bcebos.com/packages/runc/runc-v1.0.0-rc2 $ chmod +x /usr/bin/docker-runc -
Check if runc executes normally.
$ docker-runc -v runc version 1.0.0-rc2 commit: b1adfd870be901735b1509e9560eec508bdfca1f spec: 1.0.0-rc2-dev -
Check if the docker works normally (the display will be different due to different versions and loads).
$ docker version Client: Version: 17.03.2-ce API version: 1.27 Go version: go1.7.5 Git commit: f5ec1e2 Built: Tue Jun 27 01:35:00 2017 OS/Arch: linux/amd64 Server: Version: 17.03.2-ce API version: 1.27 (minimum version 1.12) Go version: go1.7.5 Git commit: f5ec1e2 Built: Tue Jun 27 01:35:00 2017 OS/Arch: linux/amd64 Experimental: false -
Check the operation status of the container:
$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 52d0c793caf9 hub-readonly.baidubce.com/public/pause:2.0 "/pause" 3 hours ago Up 3 hours k8s_POD_node-exporter-klfks_kube-system_c8560cf5-3014-11e9-88b7-fa163e8b0a7e_0 9b6d830d4ba3 hub-readonly.baidubce.com/public/pause:2.0 "/pause" 3 hours ago Up 3 hours k8s_POD_csi-bosplugin-g9ctz_kube-system_c855cf61-3014-11e9-88b7-fa163e8b0a7e_0
Safety suggestion
Because the vulnerability needs to exploit the UID 0 user in the container, it can also shield the vulnerability by changing the default user in the container to a non-root user or by using the security restrictions of Kubernetes.
-
Pass securityContext Limit uid to non-0.
apiVersion: v1 kind: Pod metadata: name: run-as-uid-1000 spec: securityContext: runAsUser: 1000 -
Restrict the permissions of containers by PodSecurityPolicy.
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: non-root spec: privileged: false allowPrivilegeEscalation: false runAsUser: # Require the container to run without root privileges. rule: 'MustRunAsNonRoot'
In addition, make sure that all container images are audited and trusted. This can be achieved by building all the images yourself, or by reviewing the contents of the images and then fixing them to the version of the images.