docker runc漏洞修复

Docker runc 容器逃逸漏洞是一个严重安全漏洞，影响 runc 组件（Docker、containerd 等容器运行时的核心工具），攻击者可利用该漏洞实现容器逃逸，获得宿主机的 root 权限。

影响范围：runc 版本：≤ 1.0.0-rc94

Euler 操作系统OS 2.10 Docker 'runc'容器逃逸漏洞(CVE-2019-5736) 和 Docker runc容器逃逸漏洞(CVE-2021-30465)修复步骤：
1.备份容器的镜像：
1）docker commit 23f2569c935e 23f2280c935e-backup:20251127
2）docker save -o /opt/23f2239c389e-backup20251127.tar 23f2239c389e-backup:20251127

2.查看容器挂载情况：
 docker inspect 23f
"Mounts": [
{
"Type": "bind",
"Source": "/var/lib/hiveagent/conf",
"Destination": "/etc/titanagent",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/var/log/hiveagent",
"Destination": "/var/log/titanagent",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/var/lib/hiveagent",
"Destination": "/titan/agent/conf",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
],

3.备份原始runc文件：cp /usr/bin/runc /opt/runc.bak20251128
4.开始修复漏洞：查看runc是否升级到新版本
cp runc.arm64 /usr/bin/runc
cp: overwrite '/usr/bin/runc'? yes
 chmod +x /usr/bin/runc
 runc --version
runc version 1.4.0
commit: v1.4.0-0-g8bd78a99
spec: 1.3.0
go: go1.24.10
libseccomp: 2.5.6
5.重启dokcer服务：
 systemctl restart docker
6.查看docker服务是否重启成功：
 systemctl status docker