summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--g3doc/user_guide/FAQ.md2
-rw-r--r--g3doc/user_guide/containerd/quick_start.md3
-rw-r--r--website/blog/2020-09-18-containing-a-real-vulnerability.md9
3 files changed, 10 insertions, 4 deletions
diff --git a/g3doc/user_guide/FAQ.md b/g3doc/user_guide/FAQ.md
index 514fe3918..69033357c 100644
--- a/g3doc/user_guide/FAQ.md
+++ b/g3doc/user_guide/FAQ.md
@@ -111,7 +111,7 @@ Please recreate your cluster and set the `--cni-socket` option on kubeadm
commands. For example:
```bash
-kubeadm init --cni-socket=/var/run/containerd/containerd.sock` ...
+kubeadm init --cni-socket=/var/run/containerd/containerd.sock ...
```
To fix an existing cluster edit the `/var/lib/kubelet/kubeadm-flags.env` file
diff --git a/g3doc/user_guide/containerd/quick_start.md b/g3doc/user_guide/containerd/quick_start.md
index 2f67eecb3..b6a3186d8 100644
--- a/g3doc/user_guide/containerd/quick_start.md
+++ b/g3doc/user_guide/containerd/quick_start.md
@@ -3,6 +3,9 @@
This document describes how to install and configure `containerd-shim-runsc-v1`
using the containerd runtime handler support on `containerd` 1.2 or later.
+> ⚠️ NOTE: If you are using Kubernetes and set up your cluster using kubeadm you
+> may run into issues. See the [FAQ](../FAQ.md#runtime-handler) for details.
+
## Requirements
- **runsc** and **containerd-shim-runsc-v1**: See the
diff --git a/website/blog/2020-09-18-containing-a-real-vulnerability.md b/website/blog/2020-09-18-containing-a-real-vulnerability.md
index c1b06a996..8a6f7bbf1 100644
--- a/website/blog/2020-09-18-containing-a-real-vulnerability.md
+++ b/website/blog/2020-09-18-containing-a-real-vulnerability.md
@@ -48,7 +48,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
po->tp_reserve;
} else {
unsigned int maclen = skb_network_offset(skb);
- // tp_reserve is unsigned int, netoff is unsigned short. Addition can overflow netoff
+ // tp_reserve is unsigned int, netoff is unsigned short.
+ // Addition can overflow netoff
netoff = TPACKET_ALIGN(po->tp_hdrlen +
(maclen < 16 ? 16 : maclen)) +
po->tp_reserve;
@@ -56,11 +57,13 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
netoff += sizeof(struct virtio_net_hdr);
do_vnet = true;
}
- // Attacker controls netoff and can make macoff be smaller than sizeof(struct virtio_net_hdr)
+ // Attacker controls netoff and can make macoff be smaller
+ // than sizeof(struct virtio_net_hdr)
macoff = netoff - maclen;
}
// ...
- // "macoff - sizeof(struct virtio_net_hdr)" can be negative, resulting in a pointer before h.raw
+ // "macoff - sizeof(struct virtio_net_hdr)" can be negative,
+ // resulting in a pointer before h.raw
if (do_vnet &&
virtio_net_hdr_from_skb(skb, h.raw + macoff -
sizeof(struct virtio_net_hdr),