{"id":299,"date":"2022-11-12T22:00:34","date_gmt":"2022-11-12T14:00:34","guid":{"rendered":"https:\/\/h4ckm310n.com\/?p=299"},"modified":"2022-11-16T16:25:44","modified_gmt":"2022-11-16T08:25:44","slug":"cve-2022-0811%e5%ad%a6%e4%b9%a0%e3%80%901%e3%80%91%e7%8e%af%e5%a2%83%e6%90%ad%e5%bb%ba","status":"publish","type":"post","link":"https:\/\/h4ckm310n.com\/?p=299","title":{"rendered":"CVE-2022-0811\u5b66\u4e60\u30101\u3011\u73af\u5883\u642d\u5efa"},"content":{"rendered":"

\u6700\u8fd1\u6253\u7b97\u5bf9CRI-O\u7684CVE-2022-0811\u8fdb\u884c\u5b66\u4e60\uff0c\u5305\u62ecexp\u590d\u73b0\u3001\u89e6\u53d1\u4ee3\u7801\u548c\u5b98\u65b9\u4fee\u590d\u65b9\u6848\u7684\u5bf9\u6bd4\u7814\u7a76\u7b49\u3002\u9996\u5148\u8981\u5728PVE\u4e0a\u642d\u5efa\u4e00\u4e2a\u865a\u62df\u673a\u73af\u5883\uff0c\u9009\u7528\u7684CRI-O\u7248\u672c\u4e3a1.23.1\uff0cKubernetes\u7248\u672c\u4e3a1.23.4\uff0c\u7cfb\u7edf\u4e3aUbuntu 20.04\u3002<\/p>\n


\n\u9996\u5148\u4eceGitHub\u4e0a\u628aCRI-O\u7684\u4ee3\u7801clone\u4e0b\u6765\u3002<\/p>\n

git clone -b v1.23.1 https:\/\/github.com\/cri-o\/cri-o.git cri-o-1.23.1\r\n<\/pre>\n
\u6dfb\u52a0\u76f8\u5173\u7684\u6e90\uff0c\u5e76\u5b89\u88c5\u4f9d\u8d56\u3002<\/p>\n
echo \"deb https:\/\/download.opensuse.org\/repositories\/devel:\/kubic:\/libcontainers:\/stable\/xUbuntu_20.04\/ \/\" > \/etc\/apt\/sources.list.d\/devel:kubic:libcontainers:stable.list\r\necho \"deb http:\/\/download.opensuse.org\/repositories\/devel:\/kubic:\/libcontainers:\/stable:\/cri-o:\/1.23\/xUbuntu_20.04\/ \/\" > \/etc\/apt\/sources.list.d\/devel:kubic:libcontainers:stable:cri-o:1.23.list\r\n\r\ncurl -L https:\/\/download.opensuse.org\/repositories\/devel:kubic:libcontainers:stable:cri-o:1.23\/xUbuntu_20.04\/Release.key | apt-key add -\r\ncurl -L https:\/\/download.opensuse.org\/repositories\/devel:\/kubic:\/libcontainers:\/stable\/xUbuntu_20.04\/Release.key | apt-key add -\r\n\r\napt-get update -qq && apt-get install -y \\\r\n  libbtrfs-dev \\\r\n  containers-common \\\r\n  git \\\r\n  libassuan-dev \\\r\n  libdevmapper-dev \\\r\n  libglib2.0-dev \\\r\n  libc6-dev \\\r\n  libgpgme-dev \\\r\n  libgpg-error-dev \\\r\n  libseccomp-dev \\\r\n  libsystemd-dev \\\r\n  libselinux1-dev \\\r\n  pkg-config \\\r\n  go-md2man \\\r\n  cri-o-runc \\\r\n  libudev-dev \\\r\n  software-properties-common \\\r\n  gcc \\\r\n  make\r\nln -s \/usr\/lib\/cri-o-runc\/sbin\/runc \/usr\/bin\/runc\r\n<\/pre>\n
\u4e0b\u8f7d\u5b89\u88c5go\u3002<\/p>\n
wget https:\/\/go.dev\/dl\/go1.19.3.linux-amd64.tar.gz\r\ntar -C \/usr\/local -xzf go1.19.3.linux-amd64.tar.gz\r\necho 'export PATH=$PATH:\/usr\/local\/go\/bin' >> \/etc\/profile\r\nsource \/etc\/profile\r\n<\/pre>\n
\u5207\u6362\u5230clone\u4e0b\u6765\u7684CRI-O\u7684\u76ee\u5f55\uff0c\u5f00\u59cb\u7f16\u8bd1\uff1a<\/p>\n
cd cri-o-1.23.1\r\nDEBUG=1 make install\r\n<\/pre>\n
\u5b89\u88c5Conmon\uff1a<\/p>\n
git clone https:\/\/github.com\/containers\/conmon\r\nmake\r\nmake install\r\n<\/pre>\n
\u521b\u5efa\u914d\u7f6e\u6587\u4ef6\u4ee5\u53ca\u542f\u52a8\u9879\uff1a<\/p>\n
make install.config\r\nmake install.systemd\r\n<\/pre>\n
\u590d\u5236CNI\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
mkdir -p \/etc\/cni\/net.d\r\ncp contrib\/cni\/11-crio-ipv4-bridge.conf \/etc\/cni\/net.d\/\r\n<\/pre>\n
\u4fee\u6539\/etc\/crio\/crio.conf\uff0c\u66ff\u6362pause\u7684\u955c\u50cf\u6e90\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
[crio.image]\r\npause_image = \"registry.cn-hangzhou.aliyuncs.com\/google_containers\/pause:3.6\"\r\n<\/pre>\n
\u5728\/etc\/apt\/sources.list.d\u76ee\u5f55\u4e0b\u521b\u5efa\u4e00\u4e2akubernetes.list\u6587\u4ef6\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
deb https:\/\/mirrors.aliyun.com\/kubernetes\/apt\/ kubernetes-xenial main\r\n<\/pre>\n
\u5b89\u88c5Kubernetes\uff1a<\/p>\n
curl https:\/\/mirrors.aliyun.com\/kubernetes\/apt\/doc\/apt-key.gpg | apt-key add - \r\napt-get install kubelet=1.23.4-00 kubeadm=1.23.4-00 kubectl=1.23.4-00\r\n<\/pre>\n
\u52a0\u8f7d\u6a21\u5757\uff1a<\/p>\n
modprobe br_netfilter\r\n<\/pre>\n
\u521b\u5efa\/etc\/modules-load.d\/kubernetes.conf\u6587\u4ef6\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
overlay\r\nbr_netfilter\r\n<\/pre>\n
\u4fee\u6539\/etc\/sysctl.conf\uff0c\u5c06net.ipv4.ip_forward=1\u524d\u9762\u7684\u6ce8\u91ca\u53bb\u6389\u3002\u7136\u540e\u901a\u8fc7sysctl -p\u66f4\u65b0\u914d\u7f6e\u3002<\/p>\n
\u5728\u6b64\u5904\u514b\u9686\u4e00\u4e2aworker\u865a\u62df\u673a\uff0c\u5e76\u8bbe\u7f6e\u4e00\u4e2a\u4e0d\u540c\u7684hostname\u548cIP\u5730\u5740\u3002<\/p>\n
master\u751f\u6210\u521d\u59cb\u5316\u7684\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n
kubeadm config print init-defaults --component-configs=KubeletConfiguration > kubeadm-init.yaml\r\n<\/pre>\n
\u4fee\u6539\u6587\u4ef6\uff1a<\/p>\n
apiVersion: kubeadm.k8s.io\/v1beta3\r\nbootstrapTokens:\r\n- groups:\r\n  - system:bootstrappers:kubeadm:default-node-token\r\n  token: abcdef.0123456789abcdef\r\n  ttl: 24h0m0s\r\n  usages:\r\n  - signing\r\n  - authentication\r\nkind: InitConfiguration\r\nlocalAPIEndpoint:\r\n  advertiseAddress: 10.114.1.0\r\n  bindPort: 6443\r\nnodeRegistration:\r\n  criSocket: unix:\/\/\/var\/run\/crio\/crio.sock\r\n  imagePullPolicy: IfNotPresent\r\n  name: cve-2022-0811\r\n  taints: null\r\n---\r\napiServer:\r\n  timeoutForControlPlane: 4m0s\r\napiVersion: kubeadm.k8s.io\/v1beta3\r\ncertificatesDir: \/etc\/kubernetes\/pki\r\nclusterName: kubernetes\r\ncontrollerManager: {}\r\ndns: {}\r\netcd:\r\n  local:\r\n    dataDir: \/var\/lib\/etcd\r\nimageRepository: registry.cn-hangzhou.aliyuncs.com\/google_containers\r\nkind: ClusterConfiguration\r\nkubernetesVersion: 1.23.0\r\nnetworking:\r\n  dnsDomain: cluster.local\r\n  serviceSubnet: 10.96.0.0\/12\r\n  podSubnet: 10.85.0.0\/16\r\nscheduler: {}\r\n---\r\napiVersion: kubelet.config.k8s.io\/v1beta1\r\nauthentication:\r\n  anonymous:\r\n    enabled: false\r\n  webhook:\r\n    cacheTTL: 0s\r\n    enabled: true\r\n  x509:\r\n    clientCAFile: \/etc\/kubernetes\/pki\/ca.crt\r\nauthorization:\r\n  mode: Webhook\r\n  webhook:\r\n    cacheAuthorizedTTL: 0s\r\n    cacheUnauthorizedTTL: 0s\r\ncgroupDriver: systemd\r\nclusterDNS:\r\n- 10.96.0.10\r\nclusterDomain: cluster.local\r\ncpuManagerReconcilePeriod: 0s\r\nevictionPressureTransitionPeriod: 0s\r\nfileCheckFrequency: 0s\r\nhealthzBindAddress: 127.0.0.1\r\nhealthzPort: 10248\r\nhttpCheckFrequency: 0s\r\nimageMinimumGCAge: 0s\r\nkind: KubeletConfiguration\r\nlogging:\r\n  flushFrequency: 0\r\n  options:\r\n    json:\r\n      infoBufferSize: \"0\"\r\n  verbosity: 0\r\nmemorySwap: {}\r\nnodeStatusReportFrequency: 0s\r\nnodeStatusUpdateFrequency: 0s\r\nresolvConf: \/run\/systemd\/resolve\/resolv.conf\r\nrotateCertificates: true\r\nruntimeRequestTimeout: 0s\r\nshutdownGracePeriod: 0s\r\nshutdownGracePeriodCriticalPods: 0s\r\nstaticPodPath: \/etc\/kubernetes\/manifests\r\nstreamingConnectionIdleTimeout: 0s\r\nsyncFrequency: 0s\r\nvolumeStatsAggPeriod: 0s\r\n<\/pre>\n
master\u521d\u59cb\u5316kubeadm\uff1a<\/p>\n
kubeadm init --config kubeadm-init.yaml\r\n<\/pre>\n
worker\u521b\u5efa\u8282\u70b9\uff1a<\/p>\n
\r\nsudo kubeadm join 10.114.1.0:6443 --token abcdef.0123456789abcdef \\\r\n\t--discovery-token-ca-cert-hash sha256:3bae1492e612ecb6faba39a04080af4882de4216269f57482912248f01ebcebc\r\n<\/pre>\n
\u53c2\u8003<\/h4>\n
[1] https:\/\/cloud.tencent.com\/developer\/article\/1981066<\/a>
\n[2] https:\/\/www.crowdstrike.com\/blog\/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811\/<\/a>
\n[3] https:\/\/github.com\/cri-o\/cri-o\/blob\/v1.23.1\/install.md<\/a>
\n[4] https:\/\/github.com\/cri-o\/cri-o\/blob\/v1.23.1\/tutorials\/kubeadm.md<\/a>
\n[5] https:\/\/www.mirantis.com\/blog\/how-install-kubernetes-kubeadm\/<\/a>
\n[6] https:\/\/zhuanlan.zhihu.com\/p\/458271887<\/a>
\n[7] https:\/\/www.cnblogs.com\/layzer\/articles\/kubernetes-crio.html<\/a>
\n[8] https:\/\/adamtheautomator.com\/cri-o\/<\/a>
\n[9] https:\/\/xujiyou.work\/%E4%BA%91%E5%8E%9F%E7%94%9F\/CRI-O\/%E4%BD%BF%E7%94%A8CRI-O%E5%92%8CKubeadm%E6%90%AD%E5%BB%BA%E9%AB%98%E5%8F%AF%E7%94%A8%20Kubernetes%20%E9%9B%86%E7%BE%A4.html<\/a>
\n[10] https:\/\/hanamichi.wiki\/posts\/k8s-ciro\/<\/a>
\n[11] https:\/\/github.com\/cri-o\/cri-o\/blob\/v1.23.1\/tutorials\/kubernetes.md<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
\u6700\u8fd1\u6253\u7b97\u5bf9CRI-O\u7684CVE-2022-0811\u8fdb\u884c\u5b66\u4e60\uff0c\u5305\u62ecexp\u590d\u73b0\u3001\u89e6\u53d1\u4ee3\u7801\u548c\u5b98\u65b9\u4fee\u590d\u65b9\u6848\u7684\u5bf9\u6bd4\u7814\u7a76\u7b49\u3002 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[16,6],"tags":[],"class_list":["post-299","post","type-post","status-publish","format-standard","hentry","category-16","category-6"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"h4ckm310n","author_link":"https:\/\/h4ckm310n.com\/?author=1"},"uagb_comment_info":0,"uagb_excerpt":"\u6700\u8fd1\u6253\u7b97\u5bf9CRI-O\u7684CVE-2022-0811\u8fdb\u884c\u5b66\u4e60\uff0c\u5305\u62ecexp\u590d\u73b0\u3001\u89e6\u53d1\u4ee3\u7801\u548c\u5b98\u65b9\u4fee\u590d\u65b9\u6848\u7684\u5bf9\u6bd4\u7814\u7a76\u7b49\u3002…","_links":{"self":[{"href":"https:\/\/h4ckm310n.com\/index.php?rest_route=\/wp\/v2\/posts\/299","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ckm310n.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ckm310n.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ckm310n.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ckm310n.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=299"}],"version-history":[{"count":11,"href":"https:\/\/h4ckm310n.com\/index.php?rest_route=\/wp\/v2\/posts\/299\/revisions"}],"predecessor-version":[{"id":314,"href":"https:\/\/h4ckm310n.com\/index.php?rest_route=\/wp\/v2\/posts\/299\/revisions\/314"}],"wp:attachment":[{"href":"https:\/\/h4ckm310n.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ckm310n.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ckm310n.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}