gStart9
commented
1 year ago Hi fellas. I just saw this in my CLN logs:
2023-06-27T04:34:59+00:00 2023-06-27T04:34:59.981Z UNUSUAL plugin-clboss: DnsSeed: always-use-proxy set, but none of our known seeds could be accessed over
torify. Istorifyinstalled?
Checked and it seems torsocks (aka torify) never made it to the final container, so I added that in (along with ca-certificates for good measure). Another thing I did is have it make sure all the debian repos in /etc/apt/sources.list use https and then actually do an apt -y upgrade in every container along the way of building / compiling all these apps. I'm not sure it's completely necessary but I get paranoid when I see things like this:
root@c-lightning:/app# apt list --upgradable
Listing... Done
bind9-dnsutils/oldstable-security 1:9.16.42-1~deb11u1 amd64 [upgradable from: 1:9.16.37-1~deb11u1]
bind9-host/oldstable-security 1:9.16.42-1~deb11u1 amd64 [upgradable from: 1:9.16.37-1~deb11u1]
bind9-libs/oldstable-security 1:9.16.42-1~deb11u1 amd64 [upgradable from: 1:9.16.37-1~deb11u1]
dnsutils/oldstable-security 1:9.16.42-1~deb11u1 all [upgradable from: 1:9.16.37-1~deb11u1]
libssl1.1/oldstable-security 1.1.1n-0+deb11u5 amd64 [upgradable from: 1.1.1n-0+deb11u4]
openssl/oldstable-security 1.1.1n-0+deb11u5 amd64 [upgradable from: 1.1.1n-0+deb11u4]So I figure that it's better if at each container in which software gets built, the newest security fixes like openssl are there. LMK if it's not a concern for some reason and I can remove them. At the very least I'm pretty sure apt -y upgrade is a good step to take in the 'final' container.
k0gen
Dominion5254
and ensure 'torify' (torsocks) is installed