taharqahi folks14:38
taharqaI got a weird issue14:38
taharqai've got /etc/init/docker.conf and inside the script I have 14:39
taharqa 14:39
taharqaif [ -f /etc/default/$UPSTART_JOB ]; then14:39
taharqa        . /etc/default/$UPSTART_JOB14:39
taharqa"$DOCKER" -d 14:39
taharqa 14:39
taharqawhere UPSTART_JOB is docker and in the /etc/default/docker file I have 14:39
taharqa 14:39
taharqaexport http_proxy="http$tmp1"14:39
taharqa 14:39
taharqaat the end http_proxy is something like http://myuser:mypassword@myhost.mycompany.com:80/14:40
taharqartierut is just computing password from crypted source14:40
taharqaproblem is that when "$DOCKER" -d is executed http_proxy became http://:@myhost.mycompany.com:80/ !14:40
taharqaupstart seems to remove myuser and mypassword from variable env. so my program can not work !14:40
taharqahow can I remove this behaviour ?14:40
xnoxtaharqa: are you sure the tmp1 results in full proxy? when exectued by the system job?14:46
taharqaxnox: yes i'm sure14:50
taharqaI execute the exact same script outsite of upstart14:51
taharqaand it works properly14:51
taharqauser and password are removed by a mysterious force14:51
taharqaI mean with upstart14:52
xnoxtaharqa: the environment that upstart runs it under is quite different. Can you try adding: "rtierut > /tmp/test-output" above tmp1 and check again?14:53
xnoxtaharqa: "env >> /tmp/test-output" should also help.14:53
taharqaalready done ^^14:54
taharqaI mean env is already logged14:54
taharqaI try to output "rtierut >             │ SpamapS14:55
taharqaoops sorry14:55
xnox... from within upstart job. not like executing it manually in any way. 14:56
taharqaresult is I got a cleaned output  14:58
taharqano user nor password14:59
xnoxso what does your script do?15:00
xnoxand can you paste full job docker.conf?15:00
xnoxit's probably a bug in your rtierut script.15:00
jodhtaharqa: http://upstart.ubuntu.com/cookbook/#determining-why-your-service-fails-to-start, http://upstart.ubuntu.com/cookbook/#see-the-environment-a-job-runs-in15:00
jodh, http://upstart.ubuntu.com/cookbook/#checking-how-a-service-might-react-when-run-as-a-job15:00
xnoxtaharqa: note that system jobs run as root, with no HOME set, etc.15:01
taharqaxnox: when I run "rtierut > /tmp/test-output" from the command line I got the good output15:01
taharqajodh: I chek your link now15:02
xnoxtaharqa: correct, but upstart does not run that command that way.15:02
xnoxtaharqa: i'm asking you to change things in /etc/default/docker...15:02
xnoxtaharqa: can you paste, (sanitized), contents of rtierut?15:02
taharqaxnox: yop15:03
xnox(maybe in private to me)15:03
taharqaxnox: ok15:03
taharqatmp1=`aya $odalyer`15:04
taharqatmp2=`aya $carmiut`15:04
taharqaecho $tmpx15:04
taharqa 15:04
xnoxtaharqa: but odalyer and carmiut variables are not set at alll... hence empty output.15:05
taharqain fact they are in /etc/environment15:06
xnoxtaharqa: it's a global job, so you do need to configure proxy for the whole machine.15:06
taharqaxnox: odalyer and carmiut can not be seen even if they are in /etc/environment ?15:07
xnoxtaharqa: add "env > /tmp/upstart-environment" in the /etc/default/docker, then do $ sudo start docker15:08
xnoxtaharqa: and you will see precisely what's the environmet like when your job is run.15:08
taharqaxnox: doing this now15:08
xnoxtaharqa: and i don't believe all the variables you expect to be, are available.15:08
xnoxtaharqa: you can probably "fix" it by souring /etc/environment, if it's safe to source.15:09
xnoxtaharqa: why are you doing it in such a way? are those passwords changing dynamically? because it's trivial for anyone to sniff it via /proc/$pid/environ after docker starts.15:09
taharqaxnox: yeah this is just a first naive protection15:10
taharqayou're right15:10
taharqaI can not just write down the password anyway15:11
taharqaand yes it changes sometimes15:11
xnoxtaharqa: it's better to e.g. add a "export http_proxy=http://user:pass@foo" into /etc/init/docker.override and mark that file readable by root only.15:11
xnoxtaharqa: and use e.g. puppet to rotate/set the file.15:11
xnoxtaharqa: also you'd want to use "hidepid=2" mount option on /proc such that non-root users cannot read it.15:12
taharqayou were right 15:12
taharqathere is no odalyer nor carmiut15:12
xnoxtaharqa: if one has root or physical access on the machine they can execute that file those helpers anyway15:13
taharqaa source /etc/environement should work though15:13
xnoxtaharqa: hidepid=2 and only readable by root is your best protection, which actually do limit non-root users from finding the proxy password out.15:13
taharqaxnox: wow , I try to undestand this one15:14
taharqaxnox: does /etc/init/docker.override is a upstart mechanism ?15:16
taharqaxnox: how this will help ?15:16
xnoxtaharqa: docker.conf can stay public / world readable / in puppet configs, yet docker.override can be managed more strictly with mode 600 owned by root.15:18
xnoxtaharqa:  see http://upstart.ubuntu.com/cookbook/ 15:18
xnoxtaharqa: .override allows to overlay stanza by stanza over the .conf configuration.15:18
xnoxtaharqa: but you also must mount or remount /proc with hidepid=2 mount option, which will prevent non-root users from reading /proc/$docker_pid/environ.15:19
taharqaxnox: thank you15:19
=== hidgw is now known as [_]\
=== [_]\ is now known as hidgw

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!