taharqa | hi folks | 14:38 |
---|---|---|
taharqa | I got a weird issue | 14:38 |
taharqa | i've got /etc/init/docker.conf and inside the script I have | 14:39 |
taharqa | 14:39 | |
taharqa | DOCKER=/usr/bin/$UPSTART_JOB | 14:39 |
taharqa | if [ -f /etc/default/$UPSTART_JOB ]; then | 14:39 |
taharqa | . /etc/default/$UPSTART_JOB | 14:39 |
taharqa | fi | 14:39 |
taharqa | "$DOCKER" -d | 14:39 |
taharqa | 14:39 | |
taharqa | where UPSTART_JOB is docker and in the /etc/default/docker file I have | 14:39 |
taharqa | 14:39 | |
taharqa | tmp1=`rtierut` | 14:39 |
taharqa | export http_proxy="http$tmp1" | 14:39 |
taharqa | 14:39 | |
taharqa | at the end http_proxy is something like http://myuser:mypassword@myhost.mycompany.com:80/ | 14:40 |
taharqa | rtierut is just computing password from crypted source | 14:40 |
taharqa | problem is that when "$DOCKER" -d is executed http_proxy became http://:@myhost.mycompany.com:80/ ! | 14:40 |
taharqa | upstart seems to remove myuser and mypassword from variable env. so my program can not work ! | 14:40 |
taharqa | how can I remove this behaviour ? | 14:40 |
xnox | taharqa: are you sure the tmp1 results in full proxy? when exectued by the system job? | 14:46 |
taharqa | xnox: yes i'm sure | 14:50 |
taharqa | I execute the exact same script outsite of upstart | 14:51 |
taharqa | and it works properly | 14:51 |
taharqa | user and password are removed by a mysterious force | 14:51 |
taharqa | I mean with upstart | 14:52 |
xnox | taharqa: the environment that upstart runs it under is quite different. Can you try adding: "rtierut > /tmp/test-output" above tmp1 and check again? | 14:53 |
xnox | taharqa: "env >> /tmp/test-output" should also help. | 14:53 |
taharqa | already done ^^ | 14:54 |
taharqa | I mean env is already logged | 14:54 |
taharqa | I try to output "rtierut > │ SpamapS | 14:55 |
taharqa | oops sorry | 14:55 |
xnox | ... from within upstart job. not like executing it manually in any way. | 14:56 |
taharqa | result is I got a cleaned output | 14:58 |
taharqa | ://:@myhost.mycompany.com:80/ | 14:58 |
taharqa | no user nor password | 14:59 |
xnox | so what does your script do? | 15:00 |
xnox | and can you paste full job docker.conf? | 15:00 |
xnox | it's probably a bug in your rtierut script. | 15:00 |
jodh | taharqa: http://upstart.ubuntu.com/cookbook/#determining-why-your-service-fails-to-start, http://upstart.ubuntu.com/cookbook/#see-the-environment-a-job-runs-in | 15:00 |
jodh | , http://upstart.ubuntu.com/cookbook/#checking-how-a-service-might-react-when-run-as-a-job | 15:00 |
xnox | taharqa: note that system jobs run as root, with no HOME set, etc. | 15:01 |
taharqa | xnox: when I run "rtierut > /tmp/test-output" from the command line I got the good output | 15:01 |
taharqa | jodh: I chek your link now | 15:02 |
xnox | taharqa: correct, but upstart does not run that command that way. | 15:02 |
xnox | taharqa: i'm asking you to change things in /etc/default/docker... | 15:02 |
xnox | taharqa: can you paste, (sanitized), contents of rtierut? | 15:02 |
taharqa | xnox: yop | 15:03 |
xnox | (maybe in private to me) | 15:03 |
taharqa | xnox: ok | 15:03 |
taharqa | #!/bin/bash | 15:04 |
taharqa | tmp1=`aya $odalyer` | 15:04 |
taharqa | tmp2=`aya $carmiut` | 15:04 |
taharqa | tmpx="://$tmp1:$tmp2@@myhost.mycompany.com:80/" | 15:04 |
taharqa | echo $tmpx | 15:04 |
taharqa | 15:04 | |
xnox | taharqa: but odalyer and carmiut variables are not set at alll... hence empty output. | 15:05 |
taharqa | in fact they are in /etc/environment | 15:06 |
xnox | taharqa: it's a global job, so you do need to configure proxy for the whole machine. | 15:06 |
taharqa | xnox: odalyer and carmiut can not be seen even if they are in /etc/environment ? | 15:07 |
xnox | taharqa: add "env > /tmp/upstart-environment" in the /etc/default/docker, then do $ sudo start docker | 15:08 |
xnox | taharqa: and you will see precisely what's the environmet like when your job is run. | 15:08 |
taharqa | xnox: doing this now | 15:08 |
xnox | taharqa: and i don't believe all the variables you expect to be, are available. | 15:08 |
xnox | taharqa: you can probably "fix" it by souring /etc/environment, if it's safe to source. | 15:09 |
xnox | taharqa: why are you doing it in such a way? are those passwords changing dynamically? because it's trivial for anyone to sniff it via /proc/$pid/environ after docker starts. | 15:09 |
taharqa | xnox: yeah this is just a first naive protection | 15:10 |
taharqa | you're right | 15:10 |
taharqa | I can not just write down the password anyway | 15:11 |
taharqa | and yes it changes sometimes | 15:11 |
xnox | taharqa: it's better to e.g. add a "export http_proxy=http://user:pass@foo" into /etc/init/docker.override and mark that file readable by root only. | 15:11 |
xnox | taharqa: and use e.g. puppet to rotate/set the file. | 15:11 |
xnox | taharqa: also you'd want to use "hidepid=2" mount option on /proc such that non-root users cannot read it. | 15:12 |
taharqa | you were right | 15:12 |
taharqa | there is no odalyer nor carmiut | 15:12 |
xnox | taharqa: if one has root or physical access on the machine they can execute that file those helpers anyway | 15:13 |
taharqa | a source /etc/environement should work though | 15:13 |
xnox | taharqa: hidepid=2 and only readable by root is your best protection, which actually do limit non-root users from finding the proxy password out. | 15:13 |
taharqa | xnox: wow , I try to undestand this one | 15:14 |
taharqa | understand* | 15:14 |
taharqa | xnox: does /etc/init/docker.override is a upstart mechanism ? | 15:16 |
taharqa | xnox: how this will help ? | 15:16 |
xnox | taharqa: docker.conf can stay public / world readable / in puppet configs, yet docker.override can be managed more strictly with mode 600 owned by root. | 15:18 |
xnox | taharqa: see http://upstart.ubuntu.com/cookbook/ | 15:18 |
xnox | taharqa: .override allows to overlay stanza by stanza over the .conf configuration. | 15:18 |
xnox | taharqa: but you also must mount or remount /proc with hidepid=2 mount option, which will prevent non-root users from reading /proc/$docker_pid/environ. | 15:19 |
taharqa | xnox: thank you | 15:19 |
=== hidgw is now known as [_]\ | ||
=== [_]\ is now known as hidgw |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!