Shulou(Shulou.com)06/03 Report--

RunC is a CLI tool that creates and runs containers according to the OCI (Open Container Initiative) standard, and the current Docker engine is also built on runc. On February 11, 2019, the researchers disclosed the details of the runc container escape vulnerability through the oss-security mailing list (https://www.openwall.com/lists/oss-security/2019/02/11/2). According to OpenWall, EXP will be made public seven days later, February 18, 2019.

This vulnerability allows a container running as root to execute arbitrary code on the host as a privileged user. In fact, this means that the container may break the Docker host (overriding Runc CLI), and all you need is the ability to run the container using root. * users can use an infected Docker image or run the exec command on a running container that is not infected. Known mitigation measures for this problem include:

Run using a read-only host file system

Run the user namespace

Do not run root in the container

Correctly configured AppArmor / SELinux policy (the current default policy is not enough)

The Rancher team responded immediately.

After receiving the disclosure email, the RancherOS team immediately tried to write a * * script, running a very simple script in a normal container to complete the * on the host, replacing the runc on the host with other programs.

After the vulnerability was disclosed, Docker released 18.09.2 immediately, and users can upgrade to this version to fix the vulnerability. The Rancher Labs R & D team also responded as soon as possible, releasing Rancher v2.1.6, v2.0.11 and v1.6.26. These three new versions of Rancher support Docker's just released 18.09.2 Rancher users can upgrade the Docker version to prevent it from being affected by this security vulnerability.

What if the Docker version cannot be upgraded

Usually due to a variety of factors, many users' production environment is not easy to upgrade too new Docker version.

To help users who are unable to upgrade to the latest version of Docker 18.09.2 as recommended by Docker, the Rancher Labs team goes a step further and has reverse migrated the fix to all versions of Docker, providing patches for Docker 1.12.6,1.13.1, 17.03.2, 17.06.2, 17.09.1, 18.03.1 and 18.06.1 to fix this vulnerability! For related patches and installation instructions, please refer to:

Https://github.com/rancher/runc-cve .

Updates to RancherOS: v1.5.1 and v1.4.3

RancherOS is a containerized operating system, and many of its components rely on runc. We also updated the patch and released v1.5.1 and v1.4.3 as soon as possible.

The core components of RancherOS, system-docker and user-docker, rely on runc, so both v1.5.1 and v1.4.3 have been updated. For user-docker,RancherOS, various versions of docker engine can be switched, so we have migrated the following docker engine in reverse:

V1.12.6/v1.13.1/v17.03.2/v17.06.2/v17.09.1/v17.12.1/v18.03.1/v18.06.1 .

If you install v1.5.1 or v1.4.3 by default, the patch is already built-in and you don't need to do anything to avoid this vulnerability. If you want to use an earlier version of docker, use the patch fix version mentioned above when switching user-docker:

At the same time, v1.5.1 also supports docker 18.09.2, you can switch to this version, if you consider using the official fix version of Docker, simply run: ros engine switch docker-18.09.2.

We recommend that you use the latest version of RancherOS v1.5.1, which supports other new features and some Bug Fix in addition to fixing the CVE-2019-5736 vulnerability. Of course, because there are still a lot of users using version 1.4.x, we have also released v1.4.3, which only fixes runc vulnerabilities and no other additional updates.

AWS-related images have been uploaded to various region, which can be directly searched and used, including AWS China. Other major image list references:

Https://github.com/rancher/os/blob/v1.5.x/README.md#release

For more new features and Bug Fix, please refer to Release Notes in v1.5.1:

Https://github.com/rancher/os/releases/tag/v1.5.1

Documentation description:

Https://rancher.com/docs/os/v1.x/en/

RancherOS focuses on Docker's streamlined experience on Linux, which is also a niche open source project. You are welcome to download and use it and provide more feedback to the RancherOS team. At the same time, Star on Github is also a spiritual motivation to encourage us to move on.

Never forget at first, escort the user's journey of Docker & K8S

With more than 100 million downloads on the Rancher Kubernetes platform, we are well aware of the importance of security issues to users, not to mention the tens of millions of users who run Docker and Kubernetes in a production environment through the Rancher platform.

CVE-2018-1002105, the first serious security vulnerability exposed by Kubernetes at the end of 2018, was discovered by Darren Shepherd, co-founder and chief architect of Rancher Labs.

When Kubernetes revealed security vulnerabilities in dashboards and external IP agents in January 2019, Rancher Labs was also the first to respond to users, ensuring that all Rancher 2.x and 1.6.x users were completely unaffected by the vulnerability.

In the future, Rancher will, as always, accompany and support ❤️ on the K8S road of users.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.