In case anyone finds this useful, here is how I patched the last
remaining unpatched container in eduid. This particular container didn't
want to play along nicely when I tried to patch it during the week, but
yesterday I finally found out why and had it running in our
staging-environment. Today when I wanted to tag it as stable and release
it - it turned out that docker.sunet.se was unavailable for perhaps
upgrades to the new version?
However I didn't want to wait any longer with patching, so I did it
locally on the machines running the vulnerable container as follows:
1. Make a backup in case something goes wrong:
docker tag docker.sunet.se/eduid/eduid-signup:stable
docker.sunet.se/eduid/eduid-signup:stable-backup-2016-02-20
2. Enter the container:
root at signup-tug-3:~# docker exec -it eduid-signup /bin/bash
3. run apt-get update and apt-get upgrade inside the container
4. Exit the container and get the container ID:
root at signup-tug-3:~# docker ps -q --filter=name=eduid-signup
fbffa2f6e0de
5. Create a new image from the running container:
docker commit -m="Upgraded glibc" -a="john at nordu.net" fbffa2f6e0de
docker.sunet.se/eduid/eduid-signup:stable
6. service docker-eduid-signup restart
7. Verify that the new image contains the patched version:
docker exec -it eduid-signup sh -c "dpkg -l libc-bin|tail -1"
//John
Hej!
Hur har ni byggt nya ubuntu-baserade dockerimages?
Jag byggde om docker.sunet.se/stud men verkar inte ha fått det jag
behöver (19-0ubuntu6.7):
--8<---------------cut here---------------start------------->8---
linus at f0:~/usr/share/logs/plausible$ docker exec -it plausible-tls-1 sh -c "dpkg -l libc-bin|tail -1"
ii libc-bin 2.19-0ubuntu6.6 amd64 Embedded GNU C Library: Binaries
--8<---------------cut here---------------end--------------->8---
docker-stud/Dockerfile säger "FROM ubuntu". Har den inte blivit ombyggd
tro?
Antar att vi borde lägga till "apt-get upgrade -y -q upgrade" till
docker-stud/Dockerfile. Eller göra FROM på ett eget bas-system som vi
håller uppdaterat?
Hi,
Hanno Böck has built [0] a gentoo system with Address-Sanitizer (ASan)
[1] enabled, a compiler (gcc and clang) feature which helps detecting
common memory bugs we all do in the C programming language.
[0] https://blog.hboeck.de/archives/879-Safer-use-of-C-code-running-Gentoo-with…
[1] https://github.com/google/sanitizers/wiki/AddressSanitizer
SUNET/NORDUnet should be interested in this for two reasons:
- interesting way of finding bugs, especially together with fuzzing
- hardened linux builds should be investigated for running our own
services
