/srv/irclogs.ubuntu.com/2014/01/03/#upstart.txt

taharqa	hi folks	14:38
taharqa	I got a weird issue	14:38
taharqa	i've got /etc/init/docker.conf and inside the script I have	14:39
taharqa		14:39
taharqa	DOCKER=/usr/bin/$UPSTART_JOB	14:39
taharqa	if [ -f /etc/default/$UPSTART_JOB ]; then	14:39
taharqa	. /etc/default/$UPSTART_JOB	14:39
taharqa	fi	14:39
taharqa	"$DOCKER" -d	14:39
taharqa		14:39
taharqa	where UPSTART_JOB is docker and in the /etc/default/docker file I have	14:39
taharqa		14:39
taharqa	tmp1=`rtierut`	14:39
taharqa	export http_proxy="http$tmp1"	14:39
taharqa		14:39
taharqa	at the end http_proxy is something like http://myuser:mypassword@myhost.mycompany.com:80/	14:40
taharqa	rtierut is just computing password from crypted source	14:40
taharqa	problem is that when "$DOCKER" -d is executed http_proxy became http://:@myhost.mycompany.com:80/ !	14:40
taharqa	upstart seems to remove myuser and mypassword from variable env. so my program can not work !	14:40
taharqa	how can I remove this behaviour ?	14:40
xnox	taharqa: are you sure the tmp1 results in full proxy? when exectued by the system job?	14:46
taharqa	xnox: yes i'm sure	14:50
taharqa	I execute the exact same script outsite of upstart	14:51
taharqa	and it works properly	14:51
taharqa	user and password are removed by a mysterious force	14:51
taharqa	I mean with upstart	14:52
xnox	taharqa: the environment that upstart runs it under is quite different. Can you try adding: "rtierut > /tmp/test-output" above tmp1 and check again?	14:53
xnox	taharqa: "env >> /tmp/test-output" should also help.	14:53
taharqa	already done ^^	14:54
taharqa	I mean env is already logged	14:54
taharqa	I try to output "rtierut > │ SpamapS	14:55
taharqa	oops sorry	14:55
xnox	... from within upstart job. not like executing it manually in any way.	14:56
taharqa	result is I got a cleaned output	14:58
taharqa	://:@myhost.mycompany.com:80/	14:58
taharqa	no user nor password	14:59
xnox	so what does your script do?	15:00
xnox	and can you paste full job docker.conf?	15:00
xnox	it's probably a bug in your rtierut script.	15:00
jodh	taharqa: http://upstart.ubuntu.com/cookbook/#determining-why-your-service-fails-to-start, http://upstart.ubuntu.com/cookbook/#see-the-environment-a-job-runs-in	15:00
jodh	, http://upstart.ubuntu.com/cookbook/#checking-how-a-service-might-react-when-run-as-a-job	15:00
xnox	taharqa: note that system jobs run as root, with no HOME set, etc.	15:01
taharqa	xnox: when I run "rtierut > /tmp/test-output" from the command line I got the good output	15:01
taharqa	jodh: I chek your link now	15:02
xnox	taharqa: correct, but upstart does not run that command that way.	15:02
xnox	taharqa: i'm asking you to change things in /etc/default/docker...	15:02
xnox	taharqa: can you paste, (sanitized), contents of rtierut?	15:02
taharqa	xnox: yop	15:03
xnox	(maybe in private to me)	15:03
taharqa	xnox: ok	15:03
taharqa	#!/bin/bash	15:04
taharqa	tmp1=`aya $odalyer`	15:04
taharqa	tmp2=`aya $carmiut`	15:04
taharqa	tmpx="://$tmp1:$tmp2@@myhost.mycompany.com:80/"	15:04
taharqa	echo $tmpx	15:04
taharqa		15:04
xnox	taharqa: but odalyer and carmiut variables are not set at alll... hence empty output.	15:05
taharqa	in fact they are in /etc/environment	15:06
xnox	taharqa: it's a global job, so you do need to configure proxy for the whole machine.	15:06
taharqa	xnox: odalyer and carmiut can not be seen even if they are in /etc/environment ?	15:07
xnox	taharqa: add "env > /tmp/upstart-environment" in the /etc/default/docker, then do $ sudo start docker	15:08
xnox	taharqa: and you will see precisely what's the environmet like when your job is run.	15:08
taharqa	xnox: doing this now	15:08
xnox	taharqa: and i don't believe all the variables you expect to be, are available.	15:08
xnox	taharqa: you can probably "fix" it by souring /etc/environment, if it's safe to source.	15:09
xnox	taharqa: why are you doing it in such a way? are those passwords changing dynamically? because it's trivial for anyone to sniff it via /proc/$pid/environ after docker starts.	15:09
taharqa	xnox: yeah this is just a first naive protection	15:10
taharqa	you're right	15:10
taharqa	I can not just write down the password anyway	15:11
taharqa	and yes it changes sometimes	15:11
xnox	taharqa: it's better to e.g. add a "export http_proxy=http://user:pass@foo" into /etc/init/docker.override and mark that file readable by root only.	15:11
xnox	taharqa: and use e.g. puppet to rotate/set the file.	15:11
xnox	taharqa: also you'd want to use "hidepid=2" mount option on /proc such that non-root users cannot read it.	15:12
taharqa	you were right	15:12
taharqa	there is no odalyer nor carmiut	15:12
xnox	taharqa: if one has root or physical access on the machine they can execute that file those helpers anyway	15:13
taharqa	a source /etc/environement should work though	15:13
xnox	taharqa: hidepid=2 and only readable by root is your best protection, which actually do limit non-root users from finding the proxy password out.	15:13
taharqa	xnox: wow , I try to undestand this one	15:14
taharqa	understand*	15:14
taharqa	xnox: does /etc/init/docker.override is a upstart mechanism ?	15:16
taharqa	xnox: how this will help ?	15:16
xnox	taharqa: docker.conf can stay public / world readable / in puppet configs, yet docker.override can be managed more strictly with mode 600 owned by root.	15:18
xnox	taharqa: see http://upstart.ubuntu.com/cookbook/	15:18
xnox	taharqa: .override allows to overlay stanza by stanza over the .conf configuration.	15:18
xnox	taharqa: but you also must mount or remount /proc with hidepid=2 mount option, which will prevent non-root users from reading /proc/$docker_pid/environ.	15:19
taharqa	xnox: thank you	15:19
=== hidgw is now known as [_]\
=== [_]\ is now known as hidgw

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!