do you still continue the project?

[changemenemo]

Hi I wanted to know if you will continue the project by put the new ubuntu etc....?

[martinhbramwell]

Good question! I'll look into that this week. Apart from Ubuntu 16.04, are you hoping for something else as well?

[changemenemo]

Well in fact now that I think about it, it's not really necessary to update to 16.04 unless we need a technology which is really more up to date in 16.04 but maybe it's even better to stay on 14.04 since we don't need any hardware improvements in a docker. What do you think about it? Maybe it could be a good idea to put a ip banishment system like fail2ban?

[changemenemo]

Maybe a problem to investigate is that if you restart the host server then when you try to restart and reconnect to the container, it will tells you that there is a credential problem

[martinhbramwell]

I'm very sorry. It's hard for me to make this a priority right now.

[changemenemo]

no problem mate. anyway your images is still working so it's okey, just tell me when you have ea bit more time.

[changemenemo]

I would like one request, less environment variables? it's not enough understandable. And I don't know why but I can't start it anymore

[changemenemo]

is there a reason about to manage the whole container with environment var?

[martinhbramwell]

I don't understand. Which environment variables do you think should be eliminated? What would you do instead?

[changemenemo]

So I thought about the problem of env... We have at least 2 security risk in this container,

INITRD=no SUDO_UID=1000 USERNAME=root MAIL=/var/mail/root PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/root LANG=en_US.UTF-8 QT_GRAPHICSSYSTEM=native USER_PWRD= erased for security SHLVL=1 SUDO_COMMAND=/bin/bash HOME=/root LANGUAGE=en_US LOGNAME=root LC_CTYPE=en_US.UTF-8 LESSOPEN=| /usr/bin/lesspipe %s SUDO_GID=1000 DISPLAY=:50.0 LESSCLOSE=/usr/bin/lesspipe %s %s SSH_KEYS= erase for security...

I'm not sure that's the best idea to put the ssh key and the password of the only user configured in the env, or we should find another way to erase it after use... And also what I meant about envvar it's that the more envvar you put in the run command the more it become complicated for the lambda user. Maybe it's even better that we do an shell interaction at the start of the container no?

[martinhbramwell]

Are you saying I have exposed a password and ssh keys?

[changemenemo]

well seems to yes... can you at least verify on your end? just to be sure that it's not an error of manipulation from me?

[martinhbramwell]

Are you referring to this line 43 in add_ssh_env_keys.sh?

[changemenemo]

not especially a line in your dockerfile, just run the container and see if you have something like me in printenv

[martinhbramwell]

Just out of curiosity, have you run into problems with zombie processes? I had them so often, and found no one offering any kind of solution, that I gave up on the idea of using these docker images for anything but development. Seeing them as simply disposable test devices left me quite uninterested in taking time with security issues.

[changemenemo]

well, which kind of zombie problems? but did yo utest what I said?

[martinhbramwell]

When a docker container starts up there is a hand over of processes from the host to the guest. Something similar happens when a GUI launches. Zombies are process trees that have become unrooted from the process that launched them. I had a lot of trouble with launched containers that suddenly began using 100% CPU. When I'd find the process that was doing it, it was always a zombie, created in the host by the GUI in the container.. Stopping the container did not stop the zombie. It couldn't because the zombie no longer belonged to the container. The only way to kill the zombie was to reboot the host machine. So, my usage of these "X2Go Phusion" containers is only ever in a staging machine. Not in my development workstation and not in any production machine.

This is why I am completely uninterested in security issues.

[changemenemo]

No I don't have any zombie process from docker container for a long time ago I think. It was more a docker problem than the container itself .... anyway you can be reassured I think it's over... But which kind of host did you used? So maybe it's the time to restart your interest:)

[changemenemo]

so did you look about zombie process?