Docker Security

There are four major areas to consider when reviewing Docker security:

  • the intrinsic security of the kernel and its support for namespaces and cgroups;

  • the attack surface of the Docker daemon itself;

  • loopholes in the container configuration profile, either by default, or when customized by users.

  • the “hardening” security features of the kernel and how they interact with containers.

https://docs.docker.com/engine/security/security/

Bash hacks. Structured directory listings.

$ lscsv -l /etc/profile |oi -t yaml -i csv --header "type,perm,hlinks,user,group,size,modified,name"
---
data:
- group: "root"
  hlinks: "1"
  modified: "Sep 16  2019"
  name: "/etc/profile"
  perm: "rw-r--r--"
  size: "902"
  type: "-"
  user: "root"

With `lscsv` (gist)

and `oi` (java)

wget https://schnasse.org/deb/oi_0.0.1.deb
sudo apt install ./oi_0.0.1.deb

 

Unix tools introduced. Today: cat

cat is a well known command to concatenate the content of multiple files.  Example: cat file1 file2 file3

But there are other use cases. cat offers a nice way to print out multi line strings.  It is even possible to include variables into the string, which feels a little bit like using a templating language.

Example:

NAME=ADMIN@COMPANY.COM;
cat <<EOF
Hello $LOGNAME,
please be aware. This system will be under maintenance soon.
Have a good day.
Sincerely
$NAME
EOF

For more info on the <<EOF visit this SO-Thread

 

 

Command Line Tools: The growth of options

I found this table here: https://danluu.com/cli-complexity/

command 1979 1996 2015 2017
ls 11 42 58 58
rm 3 7 11 12
mkdir 0 4 6 7
mv 0 9 13 14
cp 0 18 30 32
cat 1 12 12 12
pwd 0 2 4 4
chmod 0 6 9 9
echo 1 4 5 5
man 5 16 39 40
which 0 1 1
sudo 0 23 25
tar 12 53 134 139
touch 1 9 11 11
clear 0 0 0
find 14 57 82 82
ln 0 11 15 16
ps 4 22 85 85
ping 12 12 29
kill 1 3 3 3
ifconfig 16 25 25
chown 0 6 15 15
grep 11 22 45 45
tail 1 7 12 13
df 0 10 17 18
top 6 12 14

Unix tools introduced. Today: rsync

rsync is a very cool tool that can be used to copy files between hosts or between directories on the same host. Like the term ‘sync’ suggests the copy process can be controlled into great detail to modulate rsync’s behavior.  Take a look at the available options under: https://linux.die.net/man/1/rsync

This is my list of cool options.  I start with the most basic usage. The following command can be used to copy, and later on sync two directories.

rsync -avn /source/dir /target/dir  

The command ‘archives’ file attributes (-a) and displays some status info (-v).

In the given form, the command only does a dry-run (-n). To execute the command remove the -n.

The command uses the short form of --archive (-a) which translates to (-rlptgoD).

  • -r – recursive copy
  • -l – copy symlinks as symlinks
  • -p – set target permissions to be the same as the source
  • -t – set target mtime to be the same as the source. Use this to support fast incremental updates based on mtime.
  • -g – set target group to be the same as the source
  • -o – set target owner to be the same as the source
  • -D – if remote user is superuser this recreates devices and other special files.

More cool options

Move

--remove-source-files This will remove copied files from source.

Update

--update This forces rsync to skip any files which exist on the destination and have a modified time that is newer than the source file.

Delete

--delete Delete files on target that do not exist in source tree.

Backup

--backup Make a backup of modified or removed files on target.

--backup-dir=date +%Y.%m.%d Specify a backup dir on target.

What to copy?

--min-size=1 Do not copy empty files. This can be particularly interesting if you have corrupted files in the source.

--max-size=100K Copy only small files. Can be used to handle small and large files differently.

--existing Only override files that already exist on the target. Do not create new files on target.

--ignore-existing Only copy files that do not exist on target.

--exclude-from Define excludes in a file.

Scheduling, Bandwidth and Performance

--time-limit Ends rsync after a certain time limit.

--stop-at=y-m-dTh:m Ends rsync at a specific time.

--partial Allows partial copies in case of interruptions.

--bwlimit=100 Limits bandwidth Specify KBytes/second. Good option if transfer of large files is required.

Output

  • -h output numbers in a human-readable format.
  • --progress display progress.
  • -i log change info.
  • --log-file= define a log file.
  • --quiet no output.
  •  -v Output status info. You can add more ‘v’.
  • Forgot to log any progress info? Use the following command to see what rsync is about to do.
     ls -l /proc/$(pidof rsync)/fd/*

 

JPackage – Launch Java Apps without JVM

The jpackage tool of Java 14 can be used to create platform specific packages of java apps.  The app does not require a JVM to run.

Example

/opt/jdk-14/bin/jpackage --name etctoy --input target --main-jar etctoy.jar

The call is made from within a maven project. etctoy.jar is a fat-jar (size 6.6M) but the call should also work for regular jars with further dependencies in the target directory (see –input parameter).

The result is a debian package that installs the app under /opt/etctoy

sudo dpkg -i etctoy_1.0-1_amd64.deb

The installation uses 140M of disk space.

To make the tool available via command line on should link the binary into /usr/bin

sudo ln -s /opt/etctoy/bin/etctoy /usr/bin