Dockerfile?

[MichaelJCole]

Hi, what Dockerfile did you use to create the image?

I found this, but not the dockerfile...

https://hub.docker.com/r/evbauer/mesa_lean

Thanks!

[evbauer]

Good question! Unfortunately I don't have a great answer. I've been making the docker images using commits based on interactive terminal sessions where I build mesa and do some cleanup afterward. I haven't yet taken the time to figure out how to build using a Dockerfile.

[MichaelJCole]

Hi @evbauer nothing personal, but that's totally insecure.

Here's an example docker file if you want to get started:

https://github.com/comses/docker-mesa/blob/master/Dockerfile

[evbauer]

Thanks, I'll think about this.

Do you have any good references on insecurity of images made via commits? I'd like to better understand exactly what's insecure about it. Security isn't exactly paramount for this particular application. E.g. if the risk is only to data within the container, that really wouldn't be a problem.

[MichaelJCole]

Hi Evan,

The challenge is you could put anything inside that docker image. A crypto miner, or something that sends all the data to be sold online. There are also ways for Docker images to escape the container and hack the machine running them (there are multiple CVE's and some being patched right now):

https://duckduckgo.com/?q=docker+container+escape+vulnerability&atb=v101-5__&ia=web

See also this for how hackers use dependencies to run malicious code - these are also active now:

https://github.com/projectmesa/mesa/issues/558#issuecomment-500087977

It's not about what you're doing, but with how coders can relate to one another.

If you provided a Dockerfile based on the standard Python image that would be super helpful. Someone could copy and modifiy w/o having to worry about dependency issues or trust the packaging.

https://github.com/comses/docker-mesa/blob/master/Dockerfile is an example

[evbauer]

Thanks. This is educational for me. I hadn't been staying up-to-date on Docker vulnerabilities like this. Your comment about an attack pattern on that other thread is very interesting.

However, I should also note that this repo/image is for containerizing the stellar evolution code MESA (Modules for Experiments in Stellar Astrophysics, mesa.sourceforge.net), not the python project mesa, so I don't think this is what you're looking for.

Cheers, Evan

[MichaelJCole]

HAHAHA! LOL! That's hilarious. Thanks!

[jackiekazil]

Come on... another Mesa?!?!? That is the third!

@MichaelJCole - ty for starting this convo. I agree with you. Any interest in submitting a PR? If not, any interest in submitting a ticket that clearly defines what needs to happen (as opposed to being buried in comments)?

[MichaelJCole]

If you're interested, we continued the conversation here: https://github.com/projectmesa/mesa/issues/558