From b684e96b6f34d48cf5aa861069d82c57f5dac9bd Mon Sep 17 00:00:00 2001
From: gjmzj <gaojianming.zj@139.com>
Date: Thu, 28 Mar 2019 09:44:56 +0800
Subject: [PATCH] work around with CVE-2019-3874

---
 roles/prepare/files/sctp.conf  | 2 ++
 roles/prepare/tasks/common.yml | 3 +++
 2 files changed, 5 insertions(+)
 create mode 100644 roles/prepare/files/sctp.conf

diff --git a/roles/prepare/files/sctp.conf b/roles/prepare/files/sctp.conf
new file mode 100644
index 0000000..da8a137
--- /dev/null
+++ b/roles/prepare/files/sctp.conf
@@ -0,0 +1,2 @@
+# put sctp into blacklist
+install sctp /bin/true
diff --git a/roles/prepare/tasks/common.yml b/roles/prepare/tasks/common.yml
index 51c40fa..108e4c8 100644
--- a/roles/prepare/tasks/common.yml
+++ b/roles/prepare/tasks/common.yml
@@ -39,3 +39,6 @@
 
 - name: 设置系统 ulimits
   template: src=30-k8s-ulimits.conf.j2 dest=/etc/security/limits.d/30-k8s-ulimits.conf
+
+- name: 把SCTP列入内核模块黑名单
+  copy: src=sctp.conf dest=/etc/modprobe.d/sctp.conf