How to change the runc version in an image of labring/kubernetes or labring/kubernetes-docker

[use-epoll]

What is the problem this feature will solve?

runc < 1.1.11 has CVE-2024-21626, a container breakout attack that took advantage of
a file descriptor that was leaked internally within runc (but never
leaked to the container process).
runc 1.1.12 fix it

If you have solution，please describe it

runc 1.1.12 fix it

What alternatives have you considered?

No response

[stale]

This issue has been automatically closed because we haven't heard back for more than 60 days, please reopen this issue if necessary.

[willzhang]

By default, these binary files have already been packaged into the image. There may be a solution:

1. Upgrade image Version which have latest version of runc
2. Create your own image
3. Using the sealos merge command to replace the cri containerd. tar. gz in the official image

Package project path: https://github.com/labring-actions/runtime/blob/main/containerd/scripts/init-containerd.sh

Check where runc location

root@node40:~# sealos create  registry.cn-shanghai.aliyuncs.com/labring/kubernetes:v1.29.3
2024-04-21T17:00:07 info Shell command: export registryPassword="passw0rd" disableApparmor="false" SEALOS_SYS_CRI_ENDPOINT="/var/run/containerd/containerd.sock" registryData="/var/lib/registry" registryConfig="/etc/registry" registryDomain="sealos.hub" SEALOS_SYS_IMAGE_ENDPOINT="/var/run/image-cri-shim.sock" defaultVIP="10.103.97.2" criData="/var/lib/containerd" registryPort="5000" sandboxImage="pause:3.9" registryUsername="admin" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ; 
2024-04-21T17:00:07 info Mount point: /var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged
root@node40:~# 
root@node40:~# 
root@node40:~# cd /var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged# ls
bin  cri  etc  images  Kubefile  opt  README.md  registry  scripts  statics
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged# 
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged# cd cri/
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged/cri# ls
cri-containerd.tar.gz  image-cri-shim  libseccomp.tar.gz  registry
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged/cri# tar -zxvf cri-containerd.tar.gz 
usr/
usr/bin/
usr/bin/runc
usr/bin/ctr
usr/bin/containerd
usr/bin/containerd-shim
usr/bin/containerd-shim-runc-v2
usr/bin/containerd-shim-runc-v1
usr/bin/containerd-stress
root@node40:/var/lib/containers/storage/overlay/19e66f9ebdaf17642b382e897e0179ebfa443f8f250c95279e228924a5ba6f16/merged/cri# 

You can create a separate sealos image that only contains cri containerd. tar. gz, and then use the sealos merge command to merge it into the official image to overwrite the cri containerd. tar. gz in the official image