CVE-2022-0811学习【1】环境搭建

最近打算对CRI-O的CVE-2022-0811进行学习，包括exp复现、触发代码和官方修复方案的对比研究等。首先要在PVE上搭建一个虚拟机环境，选用的CRI-O版本为1.23.1，Kubernetes版本为1.23.4，系统为Ubuntu 20.04。

首先从GitHub上把CRI-O的代码clone下来。

git clone -b v1.23.1 https://github.com/cri-o/cri-o.git cri-o-1.23.1

添加相关的源，并安装依赖。

echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.23/xUbuntu_20.04/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:1.23.list

curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:1.23/xUbuntu_20.04/Release.key | apt-key add -
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/Release.key | apt-key add -

apt-get update -qq && apt-get install -y \
  libbtrfs-dev \
  containers-common \
  git \
  libassuan-dev \
  libdevmapper-dev \
  libglib2.0-dev \
  libc6-dev \
  libgpgme-dev \
  libgpg-error-dev \
  libseccomp-dev \
  libsystemd-dev \
  libselinux1-dev \
  pkg-config \
  go-md2man \
  cri-o-runc \
  libudev-dev \
  software-properties-common \
  gcc \
  make
ln -s /usr/lib/cri-o-runc/sbin/runc /usr/bin/runc

下载安装go。

wget https://go.dev/dl/go1.19.3.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.19.3.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
source /etc/profile

切换到clone下来的CRI-O的目录，开始编译：

cd cri-o-1.23.1
DEBUG=1 make install

安装Conmon：

git clone https://github.com/containers/conmon
make
make install

创建配置文件以及启动项：

make install.config
make install.systemd

复制CNI配置文件：

mkdir -p /etc/cni/net.d
cp contrib/cni/11-crio-ipv4-bridge.conf /etc/cni/net.d/

修改/etc/crio/crio.conf，替换pause的镜像源，内容如下：

[crio.image]
pause_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.6"

在/etc/apt/sources.list.d目录下创建一个kubernetes.list文件，内容如下：

deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main

安装Kubernetes：

curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add - 
apt-get install kubelet=1.23.4-00 kubeadm=1.23.4-00 kubectl=1.23.4-00

加载模块：

modprobe br_netfilter

创建/etc/modules-load.d/kubernetes.conf文件，内容如下：

overlay
br_netfilter

修改/etc/sysctl.conf，将net.ipv4.ip_forward=1前面的注释去掉。然后通过sysctl -p更新配置。

在此处克隆一个worker虚拟机，并设置一个不同的hostname和IP地址。

master生成初始化的配置文件：

kubeadm config print init-defaults --component-configs=KubeletConfiguration > kubeadm-init.yaml

修改文件：

apiVersion: kubeadm.k8s.io/v1beta3
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: abcdef.0123456789abcdef
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
kind: InitConfiguration
localAPIEndpoint:
  advertiseAddress: 10.114.1.0
  bindPort: 6443
nodeRegistration:
  criSocket: unix:///var/run/crio/crio.sock
  imagePullPolicy: IfNotPresent
  name: cve-2022-0811
  taints: null
---
apiServer:
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: 1.23.0
networking:
  dnsDomain: cluster.local
  serviceSubnet: 10.96.0.0/12
  podSubnet: 10.85.0.0/16
scheduler: {}
---
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging:
  flushFrequency: 0
  options:
    json:
      infoBufferSize: "0"
  verbosity: 0
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s

master初始化kubeadm：

kubeadm init --config kubeadm-init.yaml

worker创建节点：

sudo kubeadm join 10.114.1.0:6443 --token abcdef.0123456789abcdef \
	--discovery-token-ca-cert-hash sha256:3bae1492e612ecb6faba39a04080af4882de4216269f57482912248f01ebcebc

参考

[1] https://cloud.tencent.com/developer/article/1981066
[2] https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/
[3] https://github.com/cri-o/cri-o/blob/v1.23.1/install.md
[4] https://github.com/cri-o/cri-o/blob/v1.23.1/tutorials/kubeadm.md
[5] https://www.mirantis.com/blog/how-install-kubernetes-kubeadm/
[6] https://zhuanlan.zhihu.com/p/458271887
[7] https://www.cnblogs.com/layzer/articles/kubernetes-crio.html
[8] https://adamtheautomator.com/cri-o/
[9] https://xujiyou.work/%E4%BA%91%E5%8E%9F%E7%94%9F/CRI-O/%E4%BD%BF%E7%94%A8CRI-O%E5%92%8CKubeadm%E6%90%AD%E5%BB%BA%E9%AB%98%E5%8F%AF%E7%94%A8%20Kubernetes%20%E9%9B%86%E7%BE%A4.html
[10] https://hanamichi.wiki/posts/k8s-ciro/
[11] https://github.com/cri-o/cri-o/blob/v1.23.1/tutorials/kubernetes.md