-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update: runc #1338
Comments
The latest sysext bakery release ships a Docker sysext that includes a fix (docker 24.0.9): https://github.com/flatcar/sysext-bakery/releases/tag/latest. Using the sysext can mitigate the issue until we publish new OS releases later in February. |
EDIT: This can be ignored. I found that our code was blacklisting the squashfs kernel module, which was leading to the failure. Thanks!
Hi Flatcar team. I've been trying to get this working most of today without luck. I'm finding that there aren't many sources online to help me troubleshoot this, so please forgive my muddying of this issue but perhaps it can help someone else trying desperately to work around this CVE. I have adjusted the Ignition data our system provisioning system uses and have the file laying down to what I believe is the correct place, but I can't get any further than that before I hit a blocking issue:
I found a message from Lennart Poettering responding to a question about this symptom someone else saw:
Some debug info:
Note that we are still on
I've compared the SHA for the downloaded I don't find evidence that the cause of the issue I'm observing is the "verity + signature" issue but instead expect it's an issue with my configuration but can't seem to put a finger on it. Any tips are appreciated! EDIT: This can be ignored. I found that our code was blacklisting the squashfs kernel module, which was leading to the failure. Thanks! |
EDIT: The issue was resolved by renaming # ls -al /etc/extensions
total 68728
drwxr-xr-x. 2 root root 4096 Feb 5 17:46 .
drwxr-xr-x. 1 root root 4096 Feb 5 17:51 ..
lrwxrwxrwx. 1 root root 9 Feb 5 17:46 containerd-flatcar.raw -> /dev/null
--wxr-x---. 1 root root 70369280 Feb 5 17:46 docker.raw
lrwxrwxrwx. 1 root root 9 Feb 5 17:46 docker-flatcar.raw -> /dev/null
lrwxrwxrwx. 1 root root 32 Feb 5 17:46 oem-ami.raw -> /oem/sysext/oem-ami-3760.2.0.raw
# systemd-sysext list
NAME TYPE PATH TIME
docker raw /etc/extensions/docker.raw Mon 2024-02-05 20:28:02 UTC
oem-ami raw /etc/extensions/oem-ami.raw Tue 2024-01-16 19:33:08 UTC
# systemd-sysext refresh
Using extensions 'docker', 'oem-ami'.
Unmerged '/usr'.
Merged extensions into '/usr'.
# docker --version
Docker version 24.0.9, build 2936816 @t-lo I also attempted to follow your guide to remediate the CVE and stumbled into a different error from @tgelter: # systemd-sysext refresh
Failed to read metadata for image docker-24.0.9-x86-64: No medium found Do you know what could be the source of this issue? The sysext appears to be placed in the correct location: # systemd-sysext list
NAME TYPE PATH TIME
docker-24.0.9-x86-64 raw /etc/extensions/docker-24.0.9-x86-64.raw Mon 2024-02-05 17:46:26 UTC
oem-ami raw /etc/extensions/oem-ami.raw Tue 2024-01-16 19:33:08 UTC Additionally, I attempted to replace Flatcar's inbuilt Docker/containerd with the symlinks: # ls -al /etc/extensions
total 68728
drwxr-xr-x. 2 root root 4096 Feb 5 17:46 .
drwxr-xr-x. 1 root root 4096 Feb 5 17:51 ..
lrwxrwxrwx. 1 root root 9 Feb 5 17:46 containerd-flatcar.raw -> /dev/null
--wxr-x---. 1 root root 70369280 Feb 5 17:46 docker-24.0.9-x86-64.raw
lrwxrwxrwx. 1 root root 9 Feb 5 17:46 docker-flatcar.raw -> /dev/null
lrwxrwxrwx. 1 root root 32 Feb 5 17:46 oem-ami.raw -> /oem/sysext/oem-ami-3760.2.0.raw And I disabled Torcx based off the docs: # ls -al /etc/systemd/system-generators
total 16
drwxr-xr-x. 2 root root 4096 Feb 5 17:46 .
drwxr-xr-x. 1 root root 4096 Feb 5 17:46 ..
--wxr-x---. 1 root root 6 Feb 5 17:46 torcx-generator
# cat /etc/systemd/system-generators/torcx-generator
data:,
# docker --version
The program docker is managed by torcx, which did not run. Extra debug information: # cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=3760.2.0
VERSION_ID=3760.2.0
BUILD_ID=2024-01-16-1847
SYSEXT_LEVEL=1.0
PRETTY_NAME="Flatcar Container Linux by Kinvolk 3760.2.0 (Oklo)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar.org/"
BUG_REPORT_URL="https://issues.flatcar.org"
FLATCAR_BOARD="amd64-usr"
CPE_NAME="cpe:2.3:o:flatcar-linux:flatcar_linux:3760.2.0:*:*:*:*:*:*:*"
# systemctl status systemd-sysext --no-pager -l
× systemd-sysext.service - Merge System Extension Images into /usr/ and /opt/
Loaded: loaded (/usr/lib/systemd/system/systemd-sysext.service; disabled; preset: disabled)
Active: failed (Result: exit-code) since Mon 2024-02-05 17:46:34 UTC; 5min ago
Docs: man:systemd-sysext.service(8)
Process: 1618 ExecStart=systemd-sysext merge (code=exited, status=1/FAILURE)
Main PID: 1618 (code=exited, status=1/FAILURE)
CPU: 19ms
Feb 05 17:46:33 localhost systemd[1]: Starting systemd-sysext.service - Merge System Extension Images into /usr/ and /opt/...
Feb 05 17:46:34 localhost systemd-sysext[1618]: Failed to read metadata for image docker-24.0.9-x86-64: No medium found
Feb 05 17:46:34 localhost systemd[1]: systemd-sysext.service: Main process exited, code=exited, status=1/FAILURE
Feb 05 17:46:34 localhost systemd[1]: systemd-sysext.service: Failed with result 'exit-code'.
Feb 05 17:46:34 localhost systemd[1]: Failed to start systemd-sysext.service - Merge System Extension Images into /usr/ and /opt/.
# SYSTEMD_LOG_LEVEL=debug systemd-sysext refresh
Opened '/etc/extensions/docker-24.0.9-x86-64.raw' in O_RDONLY access mode, with O_DIRECT enabled.
Successfully acquired /dev/loop3, devno=7:3, nr=3, diskseq=17
Opened /dev/loop3 (fd=5, whole_block_devnum=7:3, diskseq=17).
Successfully forked off '(sd-dissect)' as PID 2297.
Mounting /proc/self/fd/5 (squashfs) on /tmp/dissect-FCmMSK (MS_RDONLY|MS_NODEV "")...
Checking for /usr/lib/extension-release.d/extension-release.docker-24.0.9-x86-64: No such file or directory
/tmp/dissect-FCmMSK/usr/lib/extension-release.d/extension-release.docker does not have user.extension-release.strict xattr, ignoring.
Failed to mount dissected image: No medium found
Failed to read /etc/hostname of image: No such file or directory
/etc/machine-id file of image is empty.
Failed to read has-init-system boolean: Input/output error
(sd-dissect) failed with exit status 1.
Failed to read metadata for image docker-24.0.9-x86-64: No medium found |
The name of the file or symlink under
And here the excerpt for the symlink:
The symlink helps to switch versions and I recommend to use systemd-sysupdate to update them:
With the last drop in the switching of docker versions is done live, you can omit this to only switch on reboot (or manually). |
Are you planning to release for containerD too? |
Next alpha, beta and stable will have runc 1.1.12. |
And containerd 1.7.13. |
Perfect. Any news for the release? |
@lib0xidium please follow this issue #1342 |
Just to make sure: runc will not be updated with the next LTS, is that right? |
Name: app-containers/runc
CVEs: CVE-2024-21626, GHSA-xr7r-f8xq-vfvv
CVSSs: 8.6 (high)
Action Needed: Update to >= 1.1.12
Summary: In runc v1.1.11 and earlier, due to certain leaked file descriptors, an attacker can gain access to the host filesystem by causing a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, or by tricking a user to run a malicious image and allow a container process to gain access to the host filesystem through runc run. The attacks can also be adapted to overwrite semi-arbitrary host binaries, allowing for complete container escapes. Note that when using higher-level runtimes (such as Docker or Kubernetes), this vulnerability can be exploited by running a malicious container image without additional configuration or by passing specific workdir options when starting a container. The vulnerability can also be exploited from within Dockerfiles in the case of Docker.
refmap.gentoo: TBD
The text was updated successfully, but these errors were encountered: