docker-runc-cve-replace.sh

#!/bin/bash
#
# Workaround CVE-2019-5736 via patched runc provided by
# https://github.com/rancher/runc-cve
# The script does:
#   1) find "docker-runc" executable and docker version
#   2) download corresponding patched runc
#   3) dpkg-divert (ie "permanently move") pkg installed runc and replace it by 2)
# 
# Run with "-n" for dry-run.

BASE_URL=https://github.com/rancher/runc-cve/releases/download/CVE-2019-5736-build3

must_be_root() {
   [ $(id -u) = 0 ] && return 0
   echo "ERROR: must be root: run with sudo or add '-n' for dry-run"
   exit 1
}

# CMD prefix for actual commands, "" means doing it
CMD=""
[ "$1" = "-n" ] && CMD=echo && shift

RUNC=$(which docker-runc)
test -x ${RUNC:?} || { echo "ERROR: docker-runc not found"; exit 1 ;}
RUNC_BAK=${RUNC}.cve-diverted
RUNC_TMP=${RUNC}.tmp

DOCKER_VERSION=$(docker --version|sed -rn 's/.*version ([0-9.]+).*/\1/p')
: ${DOCKER_VERSION:?}

test -f ${RUNC_BAK} && { echo "ERROR: '${RUNC_BAK}' already exists"; exit 1 ;}

set -e
test -z "${CMD}" && must_be_root && set -x
$CMD wget -qO ${RUNC_TMP} ${BASE_URL}/runc-v${DOCKER_VERSION}-amd64
$CMD chmod +x ${RUNC_TMP}
$CMD dpkg-divert --add --rename --divert ${RUNC_BAK} ${RUNC}
$CMD mv ${RUNC_TMP} ${RUNC}
$CMD docker run --rm busybox echo ok
$CMD ls -l ${RUNC} ${RUNC_BAK}

patch-runc.cluster_stanza.yaml

spec:
  [...]
  hooks:
    # Workaround CVE-2019-5736 until https://github.com/kubernetes/kops/pull/6460
    # is merged and kops released with it --jjo, 2019-02-13
    - name: patch-runc
      roles: [Master,Node]
      before:
      - docker.service
      manifest: |
        Type=oneshot
        Environment=BASE_URL=https://github.com/rancher/runc-cve/releases/download/CVE-2019-5736-build3
        ExecStart=/bin/bash -xc 'RUNC=$$(which runc docker-runc); echo runc=$${RUNC:?}; test -f $${RUNC}.bak && exit 0; DOCKER_VERSION=$$(docker --version|sed -rn "s/.*version ([0-9.]+).*/\\1/p"); wget -qO $${RUNC}.tmp ${BASE_URL}/runc-v$${DOCKER_VERSION}-amd64 && chmod +x $${RUNC}.tmp && dpkg-divert --add --rename --divert $${RUNC}.bak $${RUNC} && mv $${RUNC}.tmp $${RUNC}'

patch-runc.service

# /lib/systemd/system/patch-runc.service
[Unit]
Description=Kops Hook patch-runc
Before=docker.service

[Service]
Type=oneshot
Environment=BASE_URL=https://github.com/rancher/runc-cve/releases/download/CVE-2019-5736-build3
ExecStart=/bin/bash -xc 'RUNC=$$(which runc docker-runc); echo runc=$${RUNC:?}; test -f $${RUNC}.bak && exit 0; DOCKER_VERSION=$$(docker --version|sed -rn "s/.*version ([0-9.]+).*/\\1/p"); wget -qO $${RUNC}.tmp ${BASE_URL}/runc-v$${DOCKER_VERSION}-amd64 && chmod +x $${RUNC}.tmp && dpkg-divert --add --rename --divert $${RUNC}.bak $${RUNC} && mv $${RUNC}.tmp $${RUNC}'