Bump Containerd and Runc to fix remaining CVEs

[dereknola]

Is your feature request related to a problem? Please describe.

Current trivy CVEs:

bin/containerd - CRITICAL - CVE-2022-1996 - github.com/emicklei/go-restful - v2.9.5+incompatible - 2.16.0
bin/containerd - HIGH - CVE-2023-27561 - github.com/opencontainers/runc - v1.1.2 - v1.1.5
bin/containerd - HIGH - CVE-2022-41721 - golang.org/x/net - v0.1.1-0.20221027164007-c63010009c80 - 0.1.1-0.20221104162952-702349b0e862
bin/containerd - HIGH - CVE-2022-41723 - golang.org/x/net - v0.1.1-0.20221027164007-c63010009c80 - 0.7.0
bin/runc - HIGH - CVE-2021-33194 - golang.org/x/net - v0.0.0-20201224014010-6772e930b67b - 0.0.0-20210520170846-37e1c6afe023
bin/runc - HIGH - CVE-2021-44716 - golang.org/x/net - v0.0.0-20201224014010-6772e930b67b - 0.0.0-20211209124913-491a49abca63
bin/runc - HIGH - CVE-2022-27664 - golang.org/x/net - v0.0.0-20201224014010-6772e930b67b - 0.0.0-20220906165146-f3363e06e74c
bin/runc - HIGH - CVE-2022-41723 - golang.org/x/net - v0.0.0-20201224014010-6772e930b67b - 0.7.0

Describe the solution you'd like

Bump runc to v1.1.6
Bump containerd to v1.6.20
No major CVEs should exist in k3s binary

Describe alternatives you've considered
Continue to field questions on why we have CVEs in our images.

Additional context

[brandond]

containerd 1.6.20 is still using an old /x/net version

We should be able to fix that on our containerd fork, no?

[VestigeJ]

##Environment Details
Before update versions in use by VERSION=v1.27.1+k3s1
After update versions in use on new COMMIT=132b41c3bf9ab059e5e0ffcbcc2600b08b640b8f

Infrastructure

• Cloud

Node(s) CPU architecture, OS, and version:

1 server node

Linux 5.14.21-150400.24.11-default x86_64 GNU/Linux SUSE Linux Enterprise Server 15 SP4

Cluster Configuration:

NAME               STATUS   ROLES                       AGE     VERSION
ip-1-1-1-181       Ready    control-plane,etcd,master   2m57s   v1.27.1+k3s1 

Config.yaml:

write-kubeconfig-mode: 644
debug: true
token: chagaisntactuallymeshroom
profile: cis-1.23
selinux: true
protect-kernel-defaults: true
cluster-init: true

Initial Versions to compare

$ curl https://get.k3s.io --output install-"k3s".sh
$ sudo chmod +x install-"k3s".sh
$ sudo groupadd --system etcd && sudo useradd -s /sbin/nologin --system -g etcd etcd
$ sudo modprobe ip_vs_rr
$ sudo modprobe ip_vs_wrr
$ sudo modprobe ip_vs_sh
$ sudo printf "on_oovm.panic_on_oom=0 \nvm.overcommit_memory=1 \nkernel.panic=10 \nkernel.panic_ps=1 \nkernel.panic_on_oops=1 \n" > ~/90-kubelet.conf
$ sudo cp 90-kubelet.conf /etc/sysctl.d/
$ sudo systemctl restart systemd-sysctl
$ sudo INSTALL_K3S_VERSION=v1.27.1+k3s1 INSTALL_K3S_EXEC=server ./install-k3s.sh 
$ set_kubefig 
$ kgn -o wide
$ /var/lib/rancher/k3s/data/current/bin/runc --version
$ get_report 

Results:

$ kgn -o wide

NAME               STATUS   ROLES                       AGE   VERSION        INTERNAL-IP     EXTERNAL-IP   OS-IMAGE                              KERNEL-VERSION                 CONTAINER-RUNTIME
ip-1-1-1-181       Ready    control-plane,etcd,master   12s   v1.27.1+k3s1   1.1.1.181         <none>        SUSE Linux Enterprise Server 15 SP4   5.14.21-150400.24.11-default   containerd://1.6.19-k3s1

$ /var/lib/rancher/k3s/data/current/bin/runc --version

runc version 1.1.5
commit: v1.1.5-0-gf19387a
spec: 1.0.2-dev
go: go1.20.3
libseccomp: 2.5.4

Versions in use after upgrading to COMMIT

Validation Steps

$ sudo INSTALL_K3S_COMMIT=132b41c3bf9ab059e5e0ffcbcc2600b08b640b8f INSTALL_K3S_EXEC=server ./install-k3s.sh 
 

Results:

$ kgn -o wide

NAME               STATUS   ROLES                       AGE     VERSION                INTERNAL-IP     EXTERNAL-IP   OS-IMAGE                              KERNEL-VERSION                 CONTAINER-RUNTIME
ip-1-1-1-181      Ready    control-plane,etcd,master   4m37s   v1.27.1+k3s-132b41c3   1.1.1.181        <none>        SUSE Linux Enterprise Server 15 SP4   5.14.21-150400.24.11-default   containerd://1.6.20-k3s1

$ /var/lib/rancher/k3s/data/current/bin/runc --version

runc version 1.1.6
commit: v1.1.6-0-g0f48801
spec: 1.0.2-dev
go: go1.20.3
libseccomp: 2.5.4

Additional context / logs:

$ sudo INSTALL_K3S_COMMIT=132b41c3bf9ab059e5e0ffcbcc2600b08b640b8f INSTALL_K3S_EXEC=server ./install-k3s.sh
[INFO] Using commit 132b41c as release
[INFO] Downloading hash https://k3s-ci-builds.s3.amazonaws.com/k3s-132b41c3bf9ab059e5e0ffcbcc2600b08b640b8f.sha256sum
[INFO] Downloading binary https://k3s-ci-builds.s3.amazonaws.com/k3s-132b41c3bf9ab059e5e0ffcbcc2600b08b640b8f
[INFO] Verifying binary download
[INFO] Installing k3s to /usr/local/bin/k3s
[INFO] Skipping installation of SELinux RPM
[INFO] Skipping /usr/local/bin/kubectl symlink to k3s, already exists
[INFO] Skipping /usr/local/bin/crictl symlink to k3s, already exists
[INFO] Skipping /usr/local/bin/ctr symlink to k3s, already exists
[INFO] Creating killall script /usr/local/bin/k3s-killall.sh
[INFO] Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO] env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO] systemd: Creating service file /etc/systemd/system/k3s.service
[INFO] systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO] systemd: Starting k3s

$ kgn -o wide

NAME               STATUS   ROLES                       AGE     VERSION                INTERNAL-IP     EXTERNAL-IP   OS-IMAGE                              KERNEL-VERSION                 CONTAINER-RUNTIME
ip-1-1-1-181       Ready    control-plane,etcd,master   4m37s   v1.27.1+k3s-132b41c3   1.1.1.181       <none>        SUSE Linux Enterprise Server 15 SP4   5.14.21-150400.24.11-default   containerd://1.6.20-k3s1

$ /var/lib/rancher/k3s/data/current/bin/runc --version

runc version 1.1.6
commit: v1.1.6-0-g0f48801
spec: 1.0.2-dev
go: go1.20.3
libseccomp: 2.5.4