Decode cloud instance start-up data

TL;DR; I created a small tool which can be used to gather the user data of all instances and decode them including support for cloud-init format. https://github.com/reaandrew/cloud-startup-data-decoder Longer version If you’re deploying cloud resources, chances are you’ve encountered the need to pass in some form of user data or startup scripts. Whether it’s AWS, Azure, or GCP, they all offer a way to inject data into virtual machines upon startup.

October 23, 2023

Protecting from a real redis vulnerability using read-only, distroless and security profiles with containers

TL;DR; An example of how to protect from a real vulnerability using a combination of read-only, distroless and a security profile in docker. The security profile alone would have worked but following defense in depth, it is good practice to apply all three. Longer version The driver behind this blog post is two fold. The first is that currently I am spending a lot of time (and enjoying it) exploring the different methods available to lock down and secure linux instances and containers.

May 9, 2022

Limiting Docker Resources

TL;DR; I use locust to load test two different configurations of these containers to show the effect of customizing and constraining the resources used by the containers. This is recommended good practise for security as this can help to prevent denial of service on the host machine if the containers are overrun. Longer version The best way to avoid DoS attacks is by limiting resources. You can limit memory, CPU, maximum number of restarts (–restart=on-failure:<number_of_restarts>), maximum number of file descriptors (–ulimit nofile=) and maximum number of processes (–ulimit nproc=).

April 7, 2022

Disable inter-container communication

TL;DR; Here I learn how the --link arg is now legacy and that icc=false is a recommended security practice as it disables communications on the default bridge network. To allow containers to communicate with icc=false you need to use custom networks. Longer version Disabling inter-container communication (icc) forces any containers to have explicit links with those it needs to communicate with. This is a setting on the docker daemon itself and the setting can be applied in the systemd configuration.

April 1, 2022

Distroless NGINX with a readonly filesystem

TL;DR; Following on from my previous post where I created a distroless NGINX container, this post adds on to that ands make the file system readonly using the docker --read-only flag. https://github.com/reaandrew/nginx-security Longer version Finding out which directories need to be writeable Making the filesystem readonly in Docker still requires you to be explicit about which directories you are allowing to be writeable (depending on the application requirements) i.e. Make everything readonly EXCEPT for these directories.

March 22, 2022

Distroless NGINX

TL;DR; I created a basic version of a distroless NGINX container https://github.com/reaandrew/nginx-security It has less then 10 running processes and is less than 30MB in size. It is based on nginxinc/nginx-unprivileged and gcr.io/distroless/base-debian10:nonroot. Longer version Distroless Container Images I wanted to understand how I could reduce a few things with docker containers including image size, running processes, libraries, tools etc… with the goal of having only what is required to run a given application.

March 21, 2022

Show which directories have uncommitted changes in git

Similar to my last post, when working with many different git repositories in a single directory, I want to quickly see which of the directories have changes which I have not yet comitted. Another small script I made does this and I find it very useful. First step is to create the alias. I have called it dchanges as in distributed changes command. git config --global alias.dchanges '!bash ~/scripts/git/gitdchanges.sh' Next make sure the directory exists.

March 17, 2022

Git log over multiple local repos

I find my self at work executing a for loop in bash in order to get some information out of multiple git repos in one hit. This time I thought it would be useful to create a small script (the thing I keep executing) and to invoke it from a git alias. First step is to create the alias. I have called it dlog as in distributed log command. git config --global alias.

March 16, 2022

How to fix chmod -x /usr/bin/chmod

I was asked this question years ago (and didnt know the answer then) and just recently I found a question and answer on Stackoverflow which basically solved this using python so I thought it would be fun to draw it out a little further. Once you have executed chmod -x /usr/bin/chmod (or in other words you have removed executable permissions from a common tool that is used to change the permissions of files including execution) you will no longer be able to use it to make things executable including chmod.

October 5, 2021

Local PGSQL Docker Utility

This is a small set of bash scripts to make it really simple to start, stop, connect and load scripts into a local postgres database. This uses docker, it sets up trust with the host so it can connect using the psql client. It also sets up a local volume in the directory which you launch the utility from which allows the container instances themselves to be transient but still giving you control to destroy the state when required.

June 17, 2020

Enumerating Github Repositories in Bash

I needed to get a list of all the repositories for a specific Github Organisation. Github limits the page size which you have use which ruled out a single call with a large value. I was also writing this routine in bash and less is more as they say. My approach was very simplistic in that it simply tried an incrementing value for next page and if the response was empty then the end of the list had been reached.

August 19, 2019