Traefik v1.3.1
Docker CE for Windows: 17.06.0-ce-win18 (12627)
I have the /acme folder routed to a host volume which contains the file acme.json. With the Traefik 1.3.1 update, I noticed that Traefik gets stuck in an infinite loop complaining that the "permissions 755 for /etc/traefik/acme/acme.json are too open, please use 600". The only solution I've found is to remove acme.json and let Traefik re-negotiate the certs. Unfortunately, if I need to restart the container, I have to remove acme.json again or I'm stuck with the same issue again!
My guess is that the issue lies with the Windows volume mapped to Docker but I was wondering what the recommended workaround would even be for this?
Can I change permissions on shared volumes for container-specific deployment requirements?
No, at this point, Docker for Windows does not enable you to control (chmod) the Unix-style permissions on shared volumes for deployed containers, but rather sets permissions to a default value of 0755 (read, write, execute permissions for user, read and execute for group) which is not configurable.
Traefik is not compatible with regular Windows due to the POSIX permissions check. It may work in the Windows Subsystem for Linux since that has a Unix-style permission system.
Stumbled across this issue when trying to get traefik running on Docker for Windows... ended up getting it working by adding a few lines to a dockerfile to create the acme.json and set permissions. I then built the image and despite throwing the "Docker image from Windows against a non-Windows Docker host security warning" when I checked permissions on the acme.json file it worked!
[
I setup a repo and have it auto building to the dockerhub here for further testing.
https://hub.docker.com/r/guerillamos/traefik/
https://github.com/guerillamos/traefikwin/blob/master/Dockerfile
Once I got that built I switched the image out in my docker-compose file and my DNS challenge to Cloudflare worked like a charm according to the logs.
I hope this helps someone!
I wish to run some untrusted code using chroot.
However, many claim that chroot is not a security feature and can easily be broken out of.
Therefore my question is how does apps like https://ideone.com/ manage to run untrusted code quickly and securely. Also if chroot can be broken out of, couldn't it be possible to break out of chroot in https://ideone.com/ .
I'm not sure what untrusted code you're referring to, but chroot just changes the apparent file structure -- theoretically you can't see above a certain level. But symbolic links can still work so if your chrooted directory has a symlink to a directory above, chroot doesn't do you any good.
It's also possible for applications can get access to resources through other applications. Some clever hackers know how to exploit running apps, but if you set up the ideone environment as root, well, anything is possible.
More theoretically, you could install a master application that has full access to the file system. Then you run code in a chrooted environment. If that master app is running and listening it can relay resources to your chrooted application.
Quickly? Sure... Securely... well... with my example the master app is a gatekeeper but it's still security through trust of the master app.
Up until now I have been using ZF2 on a CENTOS environment with cpanel. I recently decided to move to Ubuntu and so far it has been really simple to setup a server.
I am however having a small permission problem which I am struggling to resolve.
I am using AssetManage which needs to be able to write images and files to the public folder.
Unfortunately, I cant seem to get the correct permissions to get this to work.
I have gone as far as setting 777 permissions to the public folder which makes no difference.
I have also changed the owner of public to: www-data which is the user that apache is using, and this does not help either.
What is likely the problem is the user/group I am using to load files to the server conflicting with the www-data user needing to perform various tasks on the server.
Is there a standard setup I should be looking at in terms of this?
SETUP:
Ubuntu: 14.4
ZF2
I have found some great tutorials to setup an Ubuntu environment. Here they are:
Basic installation
Enhanced installation
LAMP stack
All working perfectly now!
I've recently been tasked with moving a client out of a shared hosting environment into an AWS environment where all the infrastructure was hosted and supplied by Amazon. The client is running multiple (dated) Drupal instances, but luckily I've been able to move the environment over and have it function, except for the errors below.
I've discovered that Drupal is generating errors throughout their environment(s) on the AWS instance, but not on the shared hosting instance, despite using the same except code base/database.
Permission Error(s): http://i.imgur.com/cRQOo4W.jpg
Timezone Error(s): http://i.imgur.com/VFgWZKE.jpg
Personally, I'm not a big Drupal guy and I've researched the file permissions on the root directories (https://www.drupal.org/node/244924), but I honestly do not want to go around changing things without fully knowing the effect of a change.
If anyone can provide insight to the root of these errors and how I can potential resolve them, I would greatly appreciate it.
P.S. - Most of the environments in question are running on Drupal 6.33 (not 100% sure), but they do have one environment running on Drupal 7.23 (again, not 100% sure).
Make sure the web server's user/group owns the Drupal files, not root. Then follow the file permission instructions in INSTALL.txt.
Select a timezone in the Regional Settings of your Drupal site on AWS. If that doesn't do it, set the date.timezone in the php.ini file there.
I am developing a project and that requires ldap validation. But, I don't have a developer/qa ldap server.
Does a small ldap server exist for windows for testing/development?.
I just want to test to validate a active account and detect if it is blocked or not, so i don't want to install a whole domain to do that.
---never mind---
I tried an compiled openldap but I was unable to understand it. Simply, I don't get how to connect to it, how to create a account and how to validate, the client ldap returned me some obfuscate error message, i tried several ways to do it and finally i give up.
Finally, i installed a domain, it was absurdly easy to install (2008 r2), restart the server and that's it.
Anyways, thanks for the advice of opendlap and aldps
If you're on Windows and use Active Directory, have a look at Active Directory Lightweight Directory Services (AD LDS) - a LDAP server you can install and use on your dev machine.
The open source LDAP server from OpenLDAP should give you what you need:
http://www.openldap.org/
Apache provide a directory server called "ApacheDS"(Apache Directory Server), and it provides a GUI management client called "Apache Directory Studio" which is based on Eclipse.
If you want to have a test only, this studio provides a built-in server for your test, easy to link.
You can also install the studio directly in Eclipse using this update site: http://directory.apache.org/studio/update/2.x/
Active Directory works fine as an LDAP server and its included in the Windows Server 2008 trial. See the answer to my question Testing LDAP Connections to Active Directory Server. I have it running in a KVM virtual machine on Linux and query it from an OpenLDAP based client.
Necromancing.
I've had the same problem.
OpenDS is very easy to get up and running, and doesn't require administrator rights.
You just need to download the ZIP file and run the installer.
The installer can populate the directory with test entries, too - if you want to see some example data.
That's exactly what you're looking for when wanting a simple dev test server.
Note:
OpenDS development has seized, and was forked into OpenDJ, a commercial project by forgerock.
While OpenDS still works on Java7, only OpenDJ will work with Java8.
However, OpenDJ is still FREE and OpenSource.
You can find the sourcecode here on Bitbucket
and you can grab it with git:
git clone https://stash.forgerock.org/scm/opendj/opendj.git
Forget OpenLDAP and AD-LDS; these are way too complicated for simple testing.
In addition, their user interface is horrible, and you need something that you can get up and running FAST, without admin rights, and have it populated with test data in a few minutes, not in a few weeks.
And ApacheDS will require administrator privileges, unfortunately (because it only works as windows service, and you can't start/stop these without being administrator).
So OpenDJ is the definite way to go.
Apache Directory Studio is a good client to browse, edit and import/export data via LDAP (LDIF).
However, despite Apache Directory Studio being written in Java, it adds a dependency to gtk, and only has binaries for x86/x64, which means it won't work on a Chromebook with ARM processor, or on a RaspberrryPI.
But with the test entries added automagically in OpenDJ/OpenDS (if you choose the option), you don't even need that.
When in doubt, use a web based interface that "talks LDAP".
Try OpenDS it is very simple and requires only Java.
You could roll your own LDAP server for testing pretty easily using godap: https://github.com/bradleypeabody/godap
It's written in Go. It's very small and simple.
You would basically need to copy the server example out of godap_test.go and wire it up however you need.
Try simple-ldap-server
I know its pretty late to answer this question. But for the reference of someone who runs into the same question.
I wrote a simple ldap server(using ldapjs on nodejs) for authentication testing purposes. Please feel free to use it. It's easy to configure. Can support both LDAP/LDAPS protocols, just require a json file including the user ids you want to add(or it comes with a pre-included users json file, which you can use if you want).
The project is on github. (I'll add a docker image too)
Feel free to visit and use
Docker image
Simple Ldap Server Git
OpenLDAP. Ships with most Unixes and Linuxes. For Windows it is available from several sources:
Cygwin
http://www.userbooster.de
as the Silver (free) edition of the CDS product http://www.symas.com/cds.shtml. This is crippled compared to the Userbooster version, which is complete.
You can use a Docker container with Samba as Domain controller, here I show how to setup one in just a few minutes
Basically you need to
Create an image with this (read the post if you want to know why)
$ git clone https://github.com/padiazg/alpine-samba-ad-container.git
$ cd alpine-samba-ad-container
# replace your-user with your username
$ docker build -t your-user/alpine-samba-ad-container .
Create some folders and files to persist the container data
mkdir /tmp/krb-conf
&& mkdir /tmp/krb-data
&& mkdir /tmp/smb-conf
&& modir /tmp/smb-data
&& touch /tmp/krb-conf/krb5.conf
Run the container
docker run -d \
-e SAMBA_ADMIN_PASSWORD=a-secure-password \
-e SAMBA_DOMAIN=local \
-e SAMBA_REALM=local.your-domain.io \
-e LDAP_ALLOW_INSECURE=true \
--mount type=bind,source=/tmp/krb-conf/krb5.conf,target=/etc/krb5.conf \
--mount type=bind,source=/tmp/krb-data,target=/var/lib/krb5kdc \
--mount type=bind,source=/tmp/smb-conf,target=/etc/samba \
--mount type=bind,source=/tmp/smb-data,target=/var/lib/samba \
-p 389:389 \
--name smb4ad \
your-user/alpine-samba-ad-container
And now you are good to go