Comments (10)
humblec
commented on July 19, 2024
1
Hi Marco,
The ssh is only used if you would like to use "geo replication" feature of
Gluster Containers. The other communication path is always with 'exec'. If
you dont want to use geo replication, you can turn it off. Please let me
know if you have any issues.
…--Humble
On Wed, Dec 14, 2016 at 10:03 PM, Marco Capuccini ***@***.***> wrote:
Hi. Why do you run SSH in GlusterFS containers? Maybe I am being naive,
but wouldn't it be better to use kubectl exec to run commands in the
containers? I am saying this because you run the DaemonSet with host
network and in privileged mode, and makes me feel questioning the security
of this provisioning strategy. In some OpenStack installation the firewall
can fail sometimes in applying the security groups, and if this happens it
would expose the SSH servers to the internet.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#76>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/AExSDrgTFVsWv7Lff5-4gViKW5iGZfNqks5rIBpygaJpZM4LNIgJ>
.
from gluster-kubernetes.
mcapuccini
commented on July 19, 2024
1
@humblec thanks for the quick reply. Is there any environment variable to turn SSH off, or should I run some command in each container of the daemonset?
from gluster-kubernetes.
joeblackwaslike
commented on July 19, 2024
1
I see this is a bit of an old ticket, but a client of mine just got hit with bandwidth overages of $900
I wasn't aware of the following:
- another copy of sshd was running and open to the internet on port 2222 for no reason
- that sshd_config allowed for passwords (really)
- that password was easy enough to be brute forced in a relatively quick manner by this botnet.
This was thankfully only a lab/dev cluster, and I'm not upset with any of you guys, more at the host for failing to mention anything about this, they surely knew about it.
So I had a node with an infected container containing a botnet called BillGates. And of course this is lovely because we know this container usually runs as a daemonset, in hostnetwork, privileged mode.
Is there anything I can help contribute to make this a more minimal image? Is SystemD really necessary in a container(is that a hard requirement for lvm or something)? And maybe ssh should not be on by default for kubernetes since it's not even necessary.
I saved alot of information and the binaries/exported container from the infection if anyone wants to review it but it's pretty simple it bruteforced the root password of the glusterfs container running sshd and setup shop in /etc/init.d. If you would like any of it, just let me know
from gluster-kubernetes.
humblec
commented on July 19, 2024
1
@joeblackwaslike @webwurst the password had already disabled in gluster container and the images were rebuilt some time back. May be they havent pulled the latest images.
from gluster-kubernetes.
jarrpa
commented on July 19, 2024
@mcapuccini Sorry this has sat silent so long. Did you manage to find a suitable solution?
from gluster-kubernetes.
mcapuccini
commented on July 19, 2024
@jarrpa I ended up making my own containers, but I'd be happy to switch to the official one if there is a way to turn of ssh when I start the container
from gluster-kubernetes.
jarrpa
commented on July 19, 2024
@mcapuccini I think building a different container would be the only reasonable way to do this. Thought just thinking off the top of my head: If there was a startup script that called init instead of calling init directly, we could detect an environment variable that would allow us to disable sshd... however, then the container is still telling Docker that it's listening on port 2222 (via EXPOSE) wouldn't it?
from gluster-kubernetes.
humblec
commented on July 19, 2024
@mcapuccini hopefully soon. We are revisiting gluster/gluster-containers#18
from gluster-kubernetes.
webwurst
commented on July 19, 2024
I heard of another case like this. But there the hoster took down the node after it got infected..
from gluster-kubernetes.
jarrpa
commented on July 19, 2024
While we have at least reached an update, the reoslution of this issue lies in https://github.com/gluster/gluster-containers . Closing this issue.
from gluster-kubernetes.
Related Issues (20)
- Error: Failed to allocate new volume: No space HOT 2
- Unable to access db HOT 1
- missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec HOT 1
- Unable to deploy on Ubuntu 18.04 -> pods not found. HOT 6
- Request to structure the README to include more projects
- 401 with latest heketi:dev image HOT 1
- probe failed
- glusterFS pod deploy failing
- PVC in pending status-no other error HOT 2
- Mount failed:E [glusterfsd.c:795:gf_remember_backup_volfile_server] 0-glusterfs: failed to set volfile server: File exists HOT 5
- Pod devices for topology get stuck, if pods are restarted.
- vagrant - failed to install glusterfs-client
- is this project still ALIVE? HOT 9
- Which gluster node are my pods/pvc talking to?
- Error waiting for job 'heketi-storage-copy-job' to complete HOT 4
- Kubernetes DaemonSet extensions/v1beta1 deprecated
- speed up deploying gluster
- heketi deployment has CrashLoopBackOff state, I am using ./gk-deploy script
- glusterfs on kubernetes stock on Error waiting for job 'heketi-storage-copy-job' to complete. stage
- About GlusterFs containers support geographic replication
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gluster-kubernetes.