Runc vulnerability - CVE-2019-5736

Rancher supports Docker 18.09.2

Due to CVE-2019-5736, Rancher is now officially supporting Docker 18.09.2 for Rancher v2.1.6, v2.0.11 and v1.6.26 releases. To see which Rancher version, OS version and Docker version is supported, please refer to the Rancher Support Matrix.

Please upgrade Docker to 18.09.2 for all nodes/hosts in Rancher.

Known Issues:

  • Nodes might go into an “Unavailable” state post Docker upgrade [#17916] – Workaround for each role is documented in the issue.
  • Ingress might not work post Docker upgrade [#17911] – Workaround: Restart the ingress controller.
  • In the UI, the Docker version of the nodes might not be updated post Docker upgrade [#17902] – Workaround: Add a label to the node to trigger a sync to nodes, which will cause the UI to update the Docker version of the nodes.

Patching runc in an older Docker version

If you are unable to upgrade Docker to 18.09.2, Rancher has provided a backport of runc binaries for older versions of Docker. Rancher has provided patches for Docker 1.12.6, 1.13.1, 17.03.2, 17.06.2, 17.09.1, 18.03.1, and 18.06.1. This repository provides the patches and directions for how to patch runc for your Docker version.

RancherOS v1.5.1 and Rancher OS v1.4.3

In RancherOS v1.4.3 and v1.5.1, Rancher has patched runc in system-docker and user-docker versions that are included to address CVE-2019-5736.

In RancherOS v1.5.1, Rancher has added support for Docker 18.09.2.

Please upgrade to one of these RancherOS versions as soon as possible to get the patched versions of Docker. The Docker versions in User Docker for these RancherOS versions will have a patched version of Docker, but the list of Docker versions will be listed the same. To check that you have the patched User Docker version, the patched images will have a tag that appends -1 to the os-docker image. For example, rancher/os-docker:18.03.1-1 is the patched version of 18.03.1.

For those who are uncomfortable upgrading Docker on your Kubernetes clusters, we are planning to provide more detailed instructions on how to upgrade Docker to 18.09.2 later today. Stay tuned!

Here are the details on how Rancher recommends upgrading your Docker version for your Kubernetes cluster in Rancher 2.x.

Rancher supports Docker 18.06.2

As Docker has also patched 18.06.2, Rancher will also be supporting Docker 18.06.2 for Rancher v2.1.6, v2.0.11 and v1.6.26. Please refer to the Rancher Support Matrix to see which versions of Rancher, OS, K8s, and Docker are currently supported .

We recommend upgrading Docker to either 18.06.2 or 18.09.2 for all nodes/hosts in Rancher.

Provisioning Clusters in Rancher with Docker 18.06.2 or Docker 18.09.2

If you are launching clusters that have Rancher launching and managing Kubernetes, in the Kubernetes options for Docker versions on nodes, you will need to keep the default of Allow unsupported versions in order for the Kubernetes cluster to provision correctly with Docker 18.06.2 or Docker 18.09.2. The next patch versions of Rancher will be updated so this will not be required.

RKE v0.1.15 with Docker 18.06.2 and Docker 18.09.2

The current version of RKE (v0.1.15) will not launch clusters with Docker 18.06.2 or Docker 18.09.2 unless you specifically ignore the Docker version check. Per the instructions, you can disable this supported Docker verification in either your cluster.yml or you can temporarily disable it whenever you run rke up by passing in --ignore-docker-version.

Rancher is planning on shipping RKE v0.1.16 to address this issue by February 15.

RKE v0.1.16

With the release of RKE v0.1.16, RKE officially supports Docker 18.06.2 and 18.09.2. You can run RKE without having to ignore the Docker versions as an officially supported Docker version.