vault-exfiltrate
tini
vault-exfiltrate | tini | |
---|---|---|
1 | 27 | |
68 | 9,485 | |
- | - | |
0.0 | 0.0 | |
11 months ago | 25 days ago | |
Go | C | |
Mozilla Public License 2.0 | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
vault-exfiltrate
-
Show HN: EnvKey 2.0 – End-To-End Encrypted Environments (now open source)
Vault attempts to protect against host compromise scenarios, but it's a very hard problem. Ultimately, in order to do anything useful, Vault deals with plaintext values in memory, and that means that yes, there are ways for an attacker to get access.
Here's a good example: https://github.com/slingamn/vault-exfiltrate
The Vault docs include a list of 'hardening' steps for secure production usage. These are great steps to take, but each one represents a mistake that could be made. And because the Vault process is trusted with plaintext secrets, the stakes are high. Making a mistake could lead to a compromise.
With EnvKey, the host server is never sent secrets in plaintext. For defense in depth, we also follow best practices for hardening our networks. But I think we've seen with Okta and other incidents that despite best intentions, best efforts, and strong engineering, trusting the host server whatsoever just isn't good enough anymore.
tini
- Anakin – Automatically Kill Orphans
-
Freenginx.org
yes busybox httpd or civetweb is even smaller, both around 300kb.
for tini you mean https://github.com/krallin/tini? how large is your final docker image, why not just alpine in that case which is musl+busybox
-
🚨Avoid this when running containerized applications in production
Tini, a useful process manager for containerized apps
-
Should You Be Scared of Unix Signals?
Ah gotcha. I believe it can be baked into images as well, per the entrypoint example in the readme: https://github.com/krallin/tini
Not sure how this will fare IRL in k8s as I haven’t much experience there. It’s still silly that this is the default behavior where you need something like Tini, but I digress.
-
The Tailscale Universal Docker Mod
To be fair, even for running a single process the pitfalls are real. I've been seeing Tini[1] a lot for these situations.
I just read in the README that Tini is included by Docker since 1.13 if using --init flag.
[1] https://github.com/krallin/tini
-
docker run --init flag doesn't seem to work on Mac
The default init process used is the first docker-init executable found in the system path of the Docker daemon process. This docker-init binary, included in the default installation, is backed by tini.
- ส่อง Dockerfile for Go
- Learning by doing: An HTTP API with Rust
-
Silver bullet: selfhostable personal knowledge management system
AFAIK It's for the init process to reparent zombie processes. See TINI
-
How to implement pods that gracefully shutdown
The second easiest (and most common when your entry point is a bash script) is to use a fake init tool like tini
What are some alternatives?
envkey - Simple, end-to-end encrypted configuration and secrets management
dumb-init - A minimal init system for Linux containers
systemd - The systemd System and Service Manager
inotify-tools - inotify-tools is a C library and a set of command-line programs providing a simple interface to inotify.
torsocks - Library to torify application - NOTE: upstream has been moved to https://gitweb.torproject.org/torsocks.git
s6 - The s6 supervision suite.
dualsensectl - Linux tool for controlling PS5 DualSense controller
docker-intro - This is the repo for my talk and blog post about Docker (practical example).
s6-overlay - s6 overlay for containers (includes execline, s6-linux-utils & a custom init)
multirun - A minimalist init process designed for Docker
cinit - Container sys init