ops/k0: bump runc to 1.1.12 (CVE-2024-21626)

Change-Id: I204f0a296b600143da43b8c8e34d70d4dcb1b8aa Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1903 Reviewed-by: informatic <informatic@hackerspace.pl>
2024-02-08 12:44:39 +01:00 · 2024-02-08 12:44:39 +01:00 · faf8a41a83
parent 1b3774b584
commit faf8a41a83
1 changed files with 18 additions and 1 deletions
--- a/ops/hive.nix
+++ b/ops/hive.nix
@ -7,6 +7,14 @@ let
  hscloud = import ../default.nix { };
  pkgs = hscloud.pkgs;

+  nixpkgsForRunc112 = import
+    (pkgs.fetchFromGitHub {
+      owner = "nixos";
+      repo = "nixpkgs";
+      rev = "f6a0dcdc5008e7aa6ccac5b99a02b73461540789";
+      sha256 = "sha256-ro5vOuY6kDvqXFWLRMcXKkEurJZSD+DQ866aWp0tARk=";
+    }) {};
+
  # TODO(patryk): unpin and upgrade
  nixpkgsMachines = import
    (pkgs.fetchFromGitHub {
@ -15,7 +23,16 @@ let
      rev = "e26c0ffdb013cd378fc2528a44689a8bf35d2a6c";
      sha256 = "1b33hw35fqb9rzszdg5jpiyfvhx2cxpv0qrkyr19zkdpdahzdbss";
    })
-    { };
+    {
+      overlays = [
+        (self: super: {
+          # Bump runc to 1.1.12 fix CVE-2024-21626
+          # Taking it from another nixpkgs is the easiest, as nixpkgsMachines'
+          # Go is too old to build a newer verison of runc from upstream.
+          runc = nixpkgsForRunc112.runc;
+        })
+      ];
+    };

  mkClusterMachine = path: {
    deployment.tags = [ "k8s" ];