Page MenuHomePhabricator
Create Task
Maniphest T103095

Confine Graphoid with firejail
Closed, ResolvedPublic
Actions

Description

The Graphoid instances running in production should be locked down as much as possible to avoid possible security issues caused by various penetration techniques. To that end, it should be firejail-ed.

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+1 -1Enable firejail for graphoid
Customize query in gerrit

Related Objects
Search...

Event Timeline

mobrovac created this task.Jun 19 2015, 1:40 PM
mobrovac assigned this task to MoritzMuehlenhoff.
mobrovac raised the priority of this task from to High.
mobrovac updated the task description. (Show Details)
mobrovac added projects: acl*sre-team, Services, Graphoid.
mobrovac added subscribers: mobrovac, akosiaris, Yurik.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 19 2015, 1:40 PM
mobrovac added a parent task: T101870: Service containment for nodejs-based services with firejail.Jun 19 2015, 1:41 PM
mobrovac added a comment.Jun 22 2015, 9:46 AM

@Yurik, could you provide a Graphoid URL that should return a valid PNG in deployment-prep so we can test?

gerritbot added a subscriber: gerritbot.Jun 22 2015, 10:11 AM

Change 219801 had a related patch set uploaded (by Muehlenhoff):
Enable firejail for graphoid

https://gerrit.wikimedia.org/r/219801

gerritbot added a project: Patch-For-Review.Jun 22 2015, 10:11 AM
Yurik added a comment.Jun 22 2015, 11:57 AM

You can use this link to find graphs available on a wiki.

Try this one:
http://en.wikipedia.beta.wmflabs.org/api/rest_v1/page/graph/png/Wikipedia%3AEdit_filter%2FFalse_positives/220336/503f9a644803897675cf01969ce49644e3eae03a.png

mobrovac added a subtask: T103299: Graphoid tests fail.Jul 16 2015, 11:45 AM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 16 2015, 11:45 AM
Yurik closed subtask T103299: Graphoid tests fail as Resolved.Jul 16 2015, 11:49 PM
gerritbot added a comment.Jul 22 2015, 8:42 AM

Change 219801 merged by Muehlenhoff:
Enable firejail for graphoid

https://gerrit.wikimedia.org/r/219801

Muehlenhoff mentioned this in rOPUPf6d32e746b97: Enable firejail for graphoid.Jul 22 2015, 8:42 AM
MoritzMuehlenhoff closed this task as Resolved.Jul 22 2015, 9:04 AM

Firejail for Graphoid has been enabled in production on sca100[12].

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL