[14:38] <taharqa> hi folks
[14:38] <taharqa> I got a weird issue
[14:39] <taharqa> i've got /etc/init/docker.conf and inside the script I have 
[14:39] <taharqa>  
[14:39] <taharqa> DOCKER=/usr/bin/$UPSTART_JOB
[14:39] <taharqa> if [ -f /etc/default/$UPSTART_JOB ]; then
[14:39] <taharqa>         . /etc/default/$UPSTART_JOB
[14:39] <taharqa> fi
[14:39] <taharqa> "$DOCKER" -d 
[14:39] <taharqa>  
[14:39] <taharqa> where UPSTART_JOB is docker and in the /etc/default/docker file I have 
[14:39] <taharqa>  
[14:39] <taharqa> tmp1=`rtierut`
[14:39] <taharqa> export http_proxy="http$tmp1"
[14:39] <taharqa>  
[14:40] <taharqa> at the end http_proxy is something like http://myuser:mypassword@myhost.mycompany.com:80/
[14:40] <taharqa> rtierut is just computing password from crypted source
[14:40] <taharqa> problem is that when "$DOCKER" -d is executed http_proxy became http://:@myhost.mycompany.com:80/ !
[14:40] <taharqa> upstart seems to remove myuser and mypassword from variable env. so my program can not work !
[14:40] <taharqa> how can I remove this behaviour ?
[14:46] <xnox> taharqa: are you sure the tmp1 results in full proxy? when exectued by the system job?
[14:50] <taharqa> xnox: yes i'm sure
[14:51] <taharqa> I execute the exact same script outsite of upstart
[14:51] <taharqa> and it works properly
[14:51] <taharqa> user and password are removed by a mysterious force
[14:52] <taharqa> I mean with upstart
[14:53] <xnox> taharqa: the environment that upstart runs it under is quite different. Can you try adding: "rtierut > /tmp/test-output" above tmp1 and check again?
[14:53] <xnox> taharqa: "env >> /tmp/test-output" should also help.
[14:54] <taharqa> already done ^^
[14:54] <taharqa> I mean env is already logged
[14:55] <taharqa> I try to output "rtierut >             │ SpamapS
[14:55] <taharqa> oops sorry
[14:56] <xnox> ... from within upstart job. not like executing it manually in any way. 
[14:58] <taharqa> result is I got a cleaned output  
[14:58] <taharqa> ://:@myhost.mycompany.com:80/
[14:59] <taharqa> no user nor password
[15:00] <xnox> so what does your script do?
[15:00] <xnox> and can you paste full job docker.conf?
[15:00] <xnox> it's probably a bug in your rtierut script.
[15:00] <jodh> taharqa: http://upstart.ubuntu.com/cookbook/#determining-why-your-service-fails-to-start, http://upstart.ubuntu.com/cookbook/#see-the-environment-a-job-runs-in
[15:00] <jodh> , http://upstart.ubuntu.com/cookbook/#checking-how-a-service-might-react-when-run-as-a-job
[15:01] <xnox> taharqa: note that system jobs run as root, with no HOME set, etc.
[15:01] <taharqa> xnox: when I run "rtierut > /tmp/test-output" from the command line I got the good output
[15:02] <taharqa> jodh: I chek your link now
[15:02] <xnox> taharqa: correct, but upstart does not run that command that way.
[15:02] <xnox> taharqa: i'm asking you to change things in /etc/default/docker...
[15:02] <xnox> taharqa: can you paste, (sanitized), contents of rtierut?
[15:03] <taharqa> xnox: yop
[15:03] <xnox> (maybe in private to me)
[15:03] <taharqa> xnox: ok
[15:04] <taharqa> #!/bin/bash
[15:04] <taharqa> tmp1=`aya $odalyer`
[15:04] <taharqa> tmp2=`aya $carmiut`
[15:04] <taharqa> tmpx="://$tmp1:$tmp2@@myhost.mycompany.com:80/"
[15:04] <taharqa> echo $tmpx
[15:04] <taharqa>  
[15:05] <xnox> taharqa: but odalyer and carmiut variables are not set at alll... hence empty output.
[15:06] <taharqa> in fact they are in /etc/environment
[15:06] <xnox> taharqa: it's a global job, so you do need to configure proxy for the whole machine.
[15:07] <taharqa> xnox: odalyer and carmiut can not be seen even if they are in /etc/environment ?
[15:08] <xnox> taharqa: add "env > /tmp/upstart-environment" in the /etc/default/docker, then do $ sudo start docker
[15:08] <xnox> taharqa: and you will see precisely what's the environmet like when your job is run.
[15:08] <taharqa> xnox: doing this now
[15:08] <xnox> taharqa: and i don't believe all the variables you expect to be, are available.
[15:09] <xnox> taharqa: you can probably "fix" it by souring /etc/environment, if it's safe to source.
[15:09] <xnox> taharqa: why are you doing it in such a way? are those passwords changing dynamically? because it's trivial for anyone to sniff it via /proc/$pid/environ after docker starts.
[15:10] <taharqa> xnox: yeah this is just a first naive protection
[15:10] <taharqa> you're right
[15:11] <taharqa> I can not just write down the password anyway
[15:11] <taharqa> and yes it changes sometimes
[15:11] <xnox> taharqa: it's better to e.g. add a "export http_proxy=http://user:pass@foo" into /etc/init/docker.override and mark that file readable by root only.
[15:11] <xnox> taharqa: and use e.g. puppet to rotate/set the file.
[15:12] <xnox> taharqa: also you'd want to use "hidepid=2" mount option on /proc such that non-root users cannot read it.
[15:12] <taharqa> you were right 
[15:12] <taharqa> there is no odalyer nor carmiut
[15:13] <xnox> taharqa: if one has root or physical access on the machine they can execute that file those helpers anyway
[15:13] <taharqa> a source /etc/environement should work though
[15:13] <xnox> taharqa: hidepid=2 and only readable by root is your best protection, which actually do limit non-root users from finding the proxy password out.
[15:14] <taharqa> xnox: wow , I try to undestand this one
[15:14] <taharqa> understand*
[15:16] <taharqa> xnox: does /etc/init/docker.override is a upstart mechanism ?
[15:16] <taharqa> xnox: how this will help ?
[15:18] <xnox> taharqa: docker.conf can stay public / world readable / in puppet configs, yet docker.override can be managed more strictly with mode 600 owned by root.
[15:18] <xnox> taharqa:  see http://upstart.ubuntu.com/cookbook/ 
[15:18] <xnox> taharqa: .override allows to overlay stanza by stanza over the .conf configuration.
[15:19] <xnox> taharqa: but you also must mount or remount /proc with hidepid=2 mount option, which will prevent non-root users from reading /proc/$docker_pid/environ.
[15:19] <taharqa> xnox: thank you
=== hidgw is now known as [_]\
=== [_]\ is now known as hidgw