search

nightkr / docker-blockland

Run Blockland servers in Docker!
5 stars 0 forks source link

Keys are not currently persisted properly #1

Closed nightkr closed 10 years ago

nightkr commented 10 years ago

Blockland's DRM depends on the netork interfaces staying consistent, but Docker recreates them on each restart. So far I see two possible solutions:

  1. Find out and give the ability to peg whatever info it is that Blockland's DRM depends on (@block8437, this is where you come in!)
  2. Store and reapply the key in plaintext on every restart

Obviously 1 would be vastly preferable if possible, since 2 depends much more on trusting the host, and leaves the whole thing open to security breaches.

Tungul commented 10 years ago

Can you force Docker to not recreate them? Feature request over at Docker?

nightkr commented 10 years ago

I think it's a docker issue, yes, but I think the issue is persisting the MAC address/hwaddr, not the TCP/IP stack's constant recreation.

nightkr commented 10 years ago

Did some searching around, basically this just requires dotcloud/docker#4918 to be resolved.

nightkr commented 10 years ago

Actually, this is already possible using the LXC exec-driver (though this is a bit more annoying now since the native driver is the default), which is doable by adding --exec-driver=lxc when launching the docker daemon.

nightkr commented 10 years ago

Just confirmed that the above works. Set the exec-driver and use --lxc-conf as documented in the other issue and the key keeps working.

nightkr commented 10 years ago

For the record, Docker 0.11 now allows you to share the host's network interface with the guest, which should solve this, although it might cause other security considerations.

Tungul commented 10 years ago

Such as decrypting them? That problem still exists even if it's unique each time... On May 8, 2014 11:54 PM, "Teo Klestrup Röijezon" notifications@github.com wrote:

For the record, Docker 0.11http://blog.docker.io/2014/05/docker-0-11-release-candidate-for-1-0/now allows you to share the host's network interface with the guest, which should solve this, although it might cause other security considerations.

— Reply to this email directly or view it on GitHubhttps://github.com/teozkr/docker-blockland/issues/1#issuecomment-42638437 .

nightkr commented 10 years ago

@Tungul Nah, but it would give the docker instance complete access to the host's NIC, so the BL instance could impersonate other servers' ports, etc. The suggested docker run command doesn't take advantage of it (-P means forward all ports automagically), but this could relatively simply be firewalled away when using Docker's default NAT solution.