最近打算对CRI-O的CVE-2022-0811进行学习,包括exp复现、触发代码和官方修复方案的对比研究等。首先要在PVE上搭建一个虚拟机环境,选用的CRI-O版本为1.23.1,Kubernetes版本为1.23.4,系统为Ubuntu 20.04。
首先从GitHub上把CRI-O的代码clone下来。
git clone -b v1.23.1 https://github.com/cri-o/cri-o.git cri-o-1.23.1
添加相关的源,并安装依赖。
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.23/xUbuntu_20.04/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:1.23.list curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:1.23/xUbuntu_20.04/Release.key | apt-key add - curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/Release.key | apt-key add - apt-get update -qq && apt-get install -y \ libbtrfs-dev \ containers-common \ git \ libassuan-dev \ libdevmapper-dev \ libglib2.0-dev \ libc6-dev \ libgpgme-dev \ libgpg-error-dev \ libseccomp-dev \ libsystemd-dev \ libselinux1-dev \ pkg-config \ go-md2man \ cri-o-runc \ libudev-dev \ software-properties-common \ gcc \ make ln -s /usr/lib/cri-o-runc/sbin/runc /usr/bin/runc
下载安装go。
wget https://go.dev/dl/go1.19.3.linux-amd64.tar.gz tar -C /usr/local -xzf go1.19.3.linux-amd64.tar.gz echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile source /etc/profile
切换到clone下来的CRI-O的目录,开始编译:
cd cri-o-1.23.1 DEBUG=1 make install
安装Conmon:
git clone https://github.com/containers/conmon make make install
创建配置文件以及启动项:
make install.config make install.systemd
复制CNI配置文件:
mkdir -p /etc/cni/net.d cp contrib/cni/11-crio-ipv4-bridge.conf /etc/cni/net.d/
修改/etc/crio/crio.conf,替换pause的镜像源,内容如下:
[crio.image] pause_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.6"
在/etc/apt/sources.list.d目录下创建一个kubernetes.list文件,内容如下:
deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main
安装Kubernetes:
curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add - apt-get install kubelet=1.23.4-00 kubeadm=1.23.4-00 kubectl=1.23.4-00
加载模块:
modprobe br_netfilter
创建/etc/modules-load.d/kubernetes.conf文件,内容如下:
overlay br_netfilter
修改/etc/sysctl.conf,将net.ipv4.ip_forward=1前面的注释去掉。然后通过sysctl -p更新配置。
在此处克隆一个worker虚拟机,并设置一个不同的hostname和IP地址。
master生成初始化的配置文件:
kubeadm config print init-defaults --component-configs=KubeletConfiguration > kubeadm-init.yaml
修改文件:
apiVersion: kubeadm.k8s.io/v1beta3 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef ttl: 24h0m0s usages: - signing - authentication kind: InitConfiguration localAPIEndpoint: advertiseAddress: 10.114.1.0 bindPort: 6443 nodeRegistration: criSocket: unix:///var/run/crio/crio.sock imagePullPolicy: IfNotPresent name: cve-2022-0811 taints: null --- apiServer: timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta3 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controllerManager: {} dns: {} etcd: local: dataDir: /var/lib/etcd imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers kind: ClusterConfiguration kubernetesVersion: 1.23.0 networking: dnsDomain: cluster.local serviceSubnet: 10.96.0.0/12 podSubnet: 10.85.0.0/16 scheduler: {} --- apiVersion: kubelet.config.k8s.io/v1beta1 authentication: anonymous: enabled: false webhook: cacheTTL: 0s enabled: true x509: clientCAFile: /etc/kubernetes/pki/ca.crt authorization: mode: Webhook webhook: cacheAuthorizedTTL: 0s cacheUnauthorizedTTL: 0s cgroupDriver: systemd clusterDNS: - 10.96.0.10 clusterDomain: cluster.local cpuManagerReconcilePeriod: 0s evictionPressureTransitionPeriod: 0s fileCheckFrequency: 0s healthzBindAddress: 127.0.0.1 healthzPort: 10248 httpCheckFrequency: 0s imageMinimumGCAge: 0s kind: KubeletConfiguration logging: flushFrequency: 0 options: json: infoBufferSize: "0" verbosity: 0 memorySwap: {} nodeStatusReportFrequency: 0s nodeStatusUpdateFrequency: 0s resolvConf: /run/systemd/resolve/resolv.conf rotateCertificates: true runtimeRequestTimeout: 0s shutdownGracePeriod: 0s shutdownGracePeriodCriticalPods: 0s staticPodPath: /etc/kubernetes/manifests streamingConnectionIdleTimeout: 0s syncFrequency: 0s volumeStatsAggPeriod: 0s
master初始化kubeadm:
kubeadm init --config kubeadm-init.yaml
worker创建节点:
sudo kubeadm join 10.114.1.0:6443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash sha256:3bae1492e612ecb6faba39a04080af4882de4216269f57482912248f01ebcebc
参考
[1] https://cloud.tencent.com/developer/article/1981066
[2] https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/
[3] https://github.com/cri-o/cri-o/blob/v1.23.1/install.md
[4] https://github.com/cri-o/cri-o/blob/v1.23.1/tutorials/kubeadm.md
[5] https://www.mirantis.com/blog/how-install-kubernetes-kubeadm/
[6] https://zhuanlan.zhihu.com/p/458271887
[7] https://www.cnblogs.com/layzer/articles/kubernetes-crio.html
[8] https://adamtheautomator.com/cri-o/
[9] https://xujiyou.work/%E4%BA%91%E5%8E%9F%E7%94%9F/CRI-O/%E4%BD%BF%E7%94%A8CRI-O%E5%92%8CKubeadm%E6%90%AD%E5%BB%BA%E9%AB%98%E5%8F%AF%E7%94%A8%20Kubernetes%20%E9%9B%86%E7%BE%A4.html
[10] https://hanamichi.wiki/posts/k8s-ciro/
[11] https://github.com/cri-o/cri-o/blob/v1.23.1/tutorials/kubernetes.md