Page MenuHomePhabricator
Create Task
Maniphest T212941

Investigate systemd hardening to replace Firejail for Thumbor
Closed, InvalidPublic
Actions

Description

Currently we are running Thumbor under Firejail. Since we will be upgrading Thumbor servers to buster, we could investigate if we can get the same protection by enabling systemd hardening options.

In addition it makes sense to investigate if we additionally can wrap invocations to external converters like GhostScript in Firejail (with a profile similar to Mediawiki, i.e. restricting network use to a network namespace bound to localhost).

Mentioned in https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/481139/

Update: Looks like it works alright, if we are to use it in prod, we need a condition to use systemd hardening only in stretch

Details

SubjectRepoBranchLines +/-
Switch Thumbor hardening from Firejail to native systemd features (WIP)operations/puppetproduction+8 -3
Customize query in gerrit

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
ResolvedhnowlanT216815 Upgrade Thumbor to Buster
InvalidNoneT212941 Investigate systemd hardening to replace Firejail for Thumbor
· · ·

Event Timeline

jijiki triaged this task as Medium priority.Jan 4 2019, 3:06 PM
jijiki created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 4 2019, 3:06 PM
MoritzMuehlenhoff subscribed.Jan 4 2019, 3:36 PM
gerritbot subscribed.Jan 4 2019, 3:51 PM

Change 482309 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Switch Thumbor hardening from Firejail to native systemd features (WIP)

https://gerrit.wikimedia.org/r/482309

gerritbot added a project: Patch-For-Review.Jan 4 2019, 3:51 PM
jijiki mentioned this in T212946: Stream Thumbor logs to logstash.Jan 8 2019, 10:46 AM
jijiki added a parent task: T170817: Upgrade Thumbor servers to Stretch.Jan 8 2019, 11:17 AM
jijiki mentioned this in T170817: Upgrade Thumbor servers to Stretch.
jijiki moved this task from Incoming 🐫 to Doing 😎 on the serviceops board.Jan 9 2019, 1:40 PM
jijiki moved this task from Incoming🐅 to In Progress 🏋️‍♀️ on the User-jijiki board.Jan 9 2019, 3:16 PM
jijiki updated the task description. (Show Details)Jan 11 2019, 7:46 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 10:59 PM
jijiki moved this task from Doing 😎 to Incoming 🐫 on the serviceops board.Feb 6 2019, 12:11 PM
jijiki moved this task from In Progress 🏋️‍♀️ to St on the User-jijiki board.Feb 8 2019, 8:27 AM
jijiki mentioned this in T216815: Upgrade Thumbor to Buster.Feb 26 2019, 12:22 PM
jijiki edited parent tasks, added: T216815: Upgrade Thumbor to Buster; removed: T170817: Upgrade Thumbor servers to Stretch.
gerritbot added a comment.May 9 2019, 3:42 PM

Change 482309 had a related patch set uploaded (by Jbond; owner: Muehlenhoff):
[operations/puppet@production] Switch Thumbor hardening from Firejail to native systemd features (WIP)

https://gerrit.wikimedia.org/r/482309

jijiki lowered the priority of this task from Medium to Low.Jun 21 2019, 12:04 PM
jijiki raised the priority of this task from Low to Medium.
jijiki lowered the priority of this task from Medium to Low.Jun 21 2019, 12:07 PM
jijiki moved this task from Incoming 🐫 to cross-team active on the serviceops board.Aug 17 2020, 11:48 PM
jijiki moved this task from St to Thumbor on the User-jijiki board.Sep 8 2020, 10:22 AM
Ladsgroup updated the task description. (Show Details)Oct 8 2020, 7:23 PM
JoKalliauer subscribed.Oct 15 2020, 7:13 AM
gerritbot added a comment.Nov 10 2020, 10:15 AM

Change 482309 abandoned by Muehlenhoff:
[operations/puppet@production] Switch Thumbor hardening from Firejail to native systemd features (WIP)

Reason:
old PoC

https://gerrit.wikimedia.org/r/482309

JoKalliauer awarded a token.May 22 2021, 6:13 PM
gmodena subscribed.Mar 17 2022, 2:03 PM
jijiki moved this task from cross-team active to 🍦IceBox on the serviceops board.Sep 28 2022, 3:37 PM
jijiki closed this task as Invalid.Oct 3 2022, 11:30 AM

Thumbor is being migrated to k8s, making this task invalid :)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits