On Monday, February 11, 2019, critical vulnerability, CVE-2019-5736, was announced for Docker.
- Your Mesos Cluster
Update runc to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host.
1 . Restricting the docker agent User flag to be a non root user as described below
CloudBees recommends customers follow the recommendations provided to mitigate the risk.
Docker Agent Template should be modified where applicable to utilize the User option and set the UID to an non root user
such as 1000.
Modification to the Agent Template definition can be complete by modifying an Agent Template, either in Operation Center
or in one of your Managed Masters.
Choose Add -> User and specify the user in the form field.
Example for reference:
2 . CloudBees updated AMI contains docker-runc 1.13.1 binary with a back port which addresses the security vulnerability
Updated AMI from March will be provided with the backport of docker-runc
Utilize the worker-add operations and specify the worker_ami field with the updated AMI, older worker nodes can then be removed
via worker-disable and worker-remove
Update the project.config with the new AMI and restarting controllers one by one to ensure master election isn’t affected
3 . Manually patching affected controllers and nodes
If you followed step 2 to use the new AMI, you do not need to do this step 3, since you already have the new AMI with the fix.
Customers who wish to roll out the patched docker-runc manually or have a customer image can obtain the patched version here
Copy the file runc-v1.13.1-amd64-no-memfd_create to each controller/worker node in the cluster, and replace the existing
docker-runc binary which is typically located in /usr/bin
sudo mv /usr/bin/docker-runc /usr/bin/docker-runc.orig.$(date -Iseconds)
sudo mv runc-v1.13.1-amd64-no-memfd_create /usr/bin/docker-runc
sudo chmod 755 /usr/bin/docker-runc