dumb-init
vault-exfiltrate
dumb-init | vault-exfiltrate | |
---|---|---|
10 | 1 | |
6,700 | 68 | |
0.5% | - | |
0.0 | 0.0 | |
25 days ago | 11 months ago | |
Python | Go | |
MIT License | Mozilla Public License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
dumb-init
-
Fargate: catching docker stopping
I think you are on the right track in thinking it’s a signal handling issue. You mentioned using some “bash scripts”, have you tried something like dumb-init?
-
"systemd doesn't follow Unix philosophy "
At the other extreme, there's dumb-init - it implements the special pid-1 behaviors and acts as a wrapper around the one script you want to run. It's ideal for containers or virtual machines that don't need user logins or more than one service.
-
What should readiness & liveness probe actually check for?
Oh, and another thing. Many containers launch their main process from a shell script. When this happens, the shell script receives the SIGTERM event, not the application. Your shell script MUST relay SIGTERM events back to the main process, and it doesn’t happen by default. You can use a shell script wrapper, like dumb-init (https://github.com/yelp/dumb-init), as your entry point if you need to use a shell script on container startup.
-
Distro balls
It's a plus because Gentoo fully supports the choice of Systemd or OpenRC. It also has minit, dumb-init, sysvinit, cinit in tree for the more adventurous. No one was calling the AUR bloat, the parent comment just mentions that Gentoo has an equivalent project, GURU.
- How to make containers handle the SIGTERM signal which makes K8s terminate application gracefully?
- Show HN: EnvKey 2.0 – End-To-End Encrypted Environments (now open source)
-
`COPY –chmod` reduced the size of my container image by 35%
, but I prefer to not have to make this assumption and use an init system instead.
[1]: https://github.com/Yelp/dumb-init
-
Systemd by Example
> It has no init system.
Apologies that I can't link directly to the "--init" flag but docker actually does have an init, it's just (err, was?) compiled into the binary: https://docs.docker.com/engine/reference/commandline/run/#op...
My recollection is that it either adopted, or inspired, https://github.com/Yelp/dumb-init#readme which folks used to put into their Dockerfile as the init system back in the day
Folks (ahem, I'm looking at you, eks-anywhere[0]) who bundle systemd into a docker container are gravely misguided, and the ones which do so for the ability to launch sshd alongside the actual container's main process are truly, truly lost
0: https://github.com/aws/eks-anywhere/issues/838#issuecomment-...
-
Question: How to handle events to safely terminate a Node.js inside Docker container
You can use something like dumb-init which is designed to correctly handle signals
- Docker e Nodejs - Dockerizando sua aplicação com boas praticas
vault-exfiltrate
-
Show HN: EnvKey 2.0 – End-To-End Encrypted Environments (now open source)
Vault attempts to protect against host compromise scenarios, but it's a very hard problem. Ultimately, in order to do anything useful, Vault deals with plaintext values in memory, and that means that yes, there are ways for an attacker to get access.
Here's a good example: https://github.com/slingamn/vault-exfiltrate
The Vault docs include a list of 'hardening' steps for secure production usage. These are great steps to take, but each one represents a mistake that could be made. And because the Vault process is trusted with plaintext secrets, the stakes are high. Making a mistake could lead to a compromise.
With EnvKey, the host server is never sent secrets in plaintext. For defense in depth, we also follow best practices for hardening our networks. But I think we've seen with Okta and other incidents that despite best intentions, best efforts, and strong engineering, trusting the host server whatsoever just isn't good enough anymore.
What are some alternatives?
tini - A tiny but valid `init` for containers
envkey - Simple, end-to-end encrypted configuration and secrets management
docker-centos7-systemd-unpriv - Dockerfile for CentOS7 with Systemd in unprivileged mode
eks-anywhere - Run Amazon EKS on your own infrastructure 🚀
systemd - The systemd System and Service Manager
compiling-containers
ko - Build and deploy Go applications
flare - Debug how containers react to signals
ouroboros - Automatically update running docker containers with newest available image
Lean and Mean Docker containers - Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
dive - A tool for exploring each layer in a docker image