From 1cc6b8c878dfa3b9ea54e0031944d7c98b3d6680 Mon Sep 17 00:00:00 2001 From: gjmzj Date: Thu, 15 Feb 2024 21:07:39 +0800 Subject: [PATCH] to solve CVE-2024-21626: update containerd, runc --- example/config.yml | 3 +- ezdown | 6 +- roles/containerd/templates/config.toml.j2 | 76 +++++++++++++++++++++++ 3 files changed, 81 insertions(+), 4 deletions(-) diff --git a/example/config.yml b/example/config.yml index 310f158..247176e 100644 --- a/example/config.yml +++ b/example/config.yml @@ -52,9 +52,10 @@ ETCD_WAL_DIR: "" ENABLE_MIRROR_REGISTRY: true # [.]添加信任的私有仓库 +# 必须按照如下示例格式,协议头'http://'和'https://'不能省略 INSECURE_REG: - "http://easzlab.io.local:5000" - - "https://{{ HARBOR_REGISTRY }}" + - "https://reg.yourcompany.com" # [.]基础容器镜像 SANDBOX_IMAGE: "easzlab.io.local:5000/easzlab/pause:__pause__" diff --git a/ezdown b/ezdown index f552c0d..8e61d64 100755 --- a/ezdown +++ b/ezdown @@ -13,11 +13,11 @@ set -o pipefail #set -o xtrace # default settings, can be overridden by cmd line options, see usage -DOCKER_VER=24.0.7 +DOCKER_VER=25.0.3 KUBEASZ_VER=3.6.3 -K8S_BIN_VER=v1.29.0 +K8S_BIN_VER=v1.29.2 # https://github.com/easzlab/dockerfile-kubeasz-ext-bin -EXT_BIN_VER=1.9.0 +EXT_BIN_VER=1.10.0 # https://github.com/easzlab/dockerfile-kubeasz-sys-pkg SYS_PKG_VER=1.0.0 HARBOR_VER=v2.8.4 diff --git a/roles/containerd/templates/config.toml.j2 b/roles/containerd/templates/config.toml.j2 index a680f65..f39a325 100644 --- a/roles/containerd/templates/config.toml.j2 +++ b/roles/containerd/templates/config.toml.j2 @@ -43,17 +43,21 @@ version = 2 startup_delay = "100ms" [plugins."io.containerd.grpc.v1.cri"] + cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"] device_ownership_from_security_context = false disable_apparmor = false disable_cgroup = false disable_hugetlb_controller = true disable_proc_mount = false disable_tcp_service = true + drain_exec_sync_io_timeout = "0s" + enable_cdi = false enable_selinux = false enable_tls_streaming = false enable_unprivileged_icmp = false enable_unprivileged_ports = false ignore_image_defined_volumes = false + image_pull_progress_timeout = "15m0s" max_concurrent_downloads = 3 max_container_log_line_size = 16384 netns_mounts_under_state_dir = false @@ -72,24 +76,33 @@ version = 2 bin_dir = "/opt/cni/bin" conf_dir = "/etc/cni/net.d" conf_template = "/etc/cni/net.d/10-default.conf" + ip_pref = "" max_conf_num = 1 + setup_serially = false [plugins."io.containerd.grpc.v1.cri".containerd] default_runtime_name = "runc" disable_snapshot_annotations = true discard_unpacked_layers = false + ignore_blockio_not_enabled_errors = false ignore_rdt_not_enabled_errors = false no_pivot = false snapshotter = "overlayfs" [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] base_runtime_spec = "" + cni_conf_dir = "" + cni_max_conf_num = 0 container_annotations = [] pod_annotations = [] privileged_without_host_devices = false + privileged_without_host_devices_all_devices_allowed = false runtime_engine = "" + runtime_path = "" runtime_root = "" runtime_type = "" + sandbox_mode = "" + snapshotter = "" [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options] @@ -97,12 +110,18 @@ version = 2 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] base_runtime_spec = "" + cni_conf_dir = "" + cni_max_conf_num = 0 container_annotations = [] pod_annotations = [] privileged_without_host_devices = false + privileged_without_host_devices_all_devices_allowed = false runtime_engine = "" + runtime_path = "" runtime_root = "" runtime_type = "io.containerd.runc.v2" + sandbox_mode = "podsandbox" + snapshotter = "" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] BinaryName = "" @@ -119,12 +138,18 @@ version = 2 [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime] base_runtime_spec = "" + cni_conf_dir = "" + cni_max_conf_num = 0 container_annotations = [] pod_annotations = [] privileged_without_host_devices = false + privileged_without_host_devices_all_devices_allowed = false runtime_engine = "" + runtime_path = "" runtime_root = "" runtime_type = "" + sandbox_mode = "" + snapshotter = "" [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options] @@ -132,10 +157,13 @@ version = 2 key_model = "node" [plugins."io.containerd.grpc.v1.cri".registry] + config_path = "" [plugins."io.containerd.grpc.v1.cri".registry.auths] [plugins."io.containerd.grpc.v1.cri".registry.configs] + [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ HARBOR_REGISTRY }}".tls] + insecure_skip_verify = true {% for reg in INSECURE_REG %} [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ reg.split('/')[2] }}".tls] insecure_skip_verify = true @@ -173,12 +201,25 @@ version = 2 [plugins."io.containerd.internal.v1.restart"] interval = "10s" + [plugins."io.containerd.internal.v1.tracing"] + sampling_ratio = 1.0 + service_name = "containerd" + [plugins."io.containerd.metadata.v1.bolt"] content_sharing_policy = "shared" [plugins."io.containerd.monitor.v1.cgroups"] no_prometheus = false + [plugins."io.containerd.nri.v1.nri"] + disable = true + disable_connections = false + plugin_config_path = "/etc/nri/conf.d" + plugin_path = "/opt/nri/plugins" + plugin_registration_timeout = "5s" + plugin_request_timeout = "2s" + socket_path = "/var/run/nri/nri.sock" + [plugins."io.containerd.runtime.v1.linux"] no_shim = false runtime = "runc" @@ -186,18 +227,34 @@ version = 2 shim = "containerd-shim" shim_debug = false + [plugins."io.containerd.runtime.v2.task"] + sched_core = false + [plugins."io.containerd.service.v1.diff-service"] default = ["walking"] + [plugins."io.containerd.service.v1.tasks-service"] + blockio_config_file = "" + rdt_config_file = "" + [plugins."io.containerd.snapshotter.v1.aufs"] root_path = "" + [plugins."io.containerd.snapshotter.v1.blockfile"] + fs_type = "" + mount_options = [] + root_path = "" + scratch_file = "" + [plugins."io.containerd.snapshotter.v1.btrfs"] root_path = "" [plugins."io.containerd.snapshotter.v1.devmapper"] async_remove = false base_image_size = "" + discard_blocks = false + fs_options = "" + fs_type = "" pool_name = "" root_path = "" @@ -205,11 +262,28 @@ version = 2 root_path = "" [plugins."io.containerd.snapshotter.v1.overlayfs"] + mount_options = [] root_path = "" + sync_remove = false + upperdir_label = false [plugins."io.containerd.snapshotter.v1.zfs"] root_path = "" + [plugins."io.containerd.tracing.processor.v1.otlp"] + endpoint = "" + insecure = false + protocol = "" + + [plugins."io.containerd.transfer.v1.local"] + config_path = "" + max_concurrent_downloads = 3 + max_concurrent_uploaded_layers = 3 + + [[plugins."io.containerd.transfer.v1.local".unpack_config]] + differ = "" + snapshotter = "overlayfs" + [proxy_plugins] [stream_processors] @@ -229,6 +303,8 @@ version = 2 returns = "application/vnd.oci.image.layer.v1.tar+gzip" [timeouts] + "io.containerd.timeout.bolt.open" = "0s" + "io.containerd.timeout.metrics.shimstats" = "2s" "io.containerd.timeout.shim.cleanup" = "5s" "io.containerd.timeout.shim.load" = "5s" "io.containerd.timeout.shim.shutdown" = "3s"