Page MenuHomePhabricator
Create Task
Maniphest T213363

Fix or clarify Proton Puppeteer sandboxing and SSL settings
Closed, ResolvedPublic3 Estimated Story Points
Actions

Description

Per T177765#4867361:

  • Puppeteer should preferably use the built-in sandbox (ie. do not set --no-sandbox, -disable-setuid-sandbox options). If that's not possible, the reasons should be documented. If it's not possible and other sandboxing is possible (e.g. firejail), we should look into that.
  • Puppeteer should properly verify SSL certs; the ignoreHTTPSErrors probably disables that (if not, a reassuring comment would be good). If that's not possible, the reasons should be documented.

Acceptance criteria

  • Document the use of --ignoreHTTPSErrors flag
  • Document the use of --no-sandbox flag and the firejail sandboxing in the project page or wikitech docs

Related Objects
Search...

Event Timeline

Tgr created this task.Jan 10 2019, 1:19 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 10 2019, 1:19 AM
Tgr mentioned this in T177765: Security review of mediawiki-services-chromium-render.Jan 10 2019, 1:21 AM
Legoktm subscribed.Jan 10 2019, 1:32 AM

Is this running in a container? In CI we have to set --no-sandbox because Chromium's sandbox doesn't work inside docker containers.

Tgr mentioned this in T210652: Handoff Proton service to Reading Infrastructure.Jan 10 2019, 3:49 AM
phuedx added subscribers: pmiazga, Pchelolo, phuedx.Jan 10 2019, 12:04 PM

AIUI the service runner running Proton is firejailed. Is that correct @pmiazga, @Pchelolo?

Pchelolo added a comment.Jan 10 2019, 3:21 PM
In T213363#4869156, @phuedx wrote:

AIUI the service runner running Proton is firejailed. Is that correct @pmiazga, @Pchelolo?

That is correct @phuedx

pmiazga added a comment.Jan 10 2019, 3:23 PM

I think I know why we have ignoreHTTPSErrors and it shouldn't be necessary anymore. I'll check all params and I'll get back to you.
@Legoktm - the service itself doesn't run in a docker container, but the build process is run via docker, that may be the issue.

Jhernandez added a parent task: T210652: Handoff Proton service to Reading Infrastructure.Jan 10 2019, 4:46 PM
Jhernandez added a parent task: T181084: [EPIC] Deploy the mediawiki-services-chromium-render service (Proton).
Tgr added a comment.Jan 11 2019, 12:13 AM

Sandboxing in Chromium is confusing. The SUID sandbox is apparently on its way out (although this other place lists it as maintianed)? The sandbox disabled with --no-sandbox seems Windows only? But there is also the namespace sandbox which is the successor of SUID sandbox, but has no disable switch? And the [[https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md#the-sandbox-1|Seccomp-BPF]] sandbox, which does not have an off switch either.

No idea where that leaves us.

Mholloway subscribed.Jan 11 2019, 6:15 PM
Jhernandez triaged this task as High priority.Jan 15 2019, 11:35 AM
Jhernandez added a project: Web-Team-Backlog.
Jhernandez subscribed.

So, for this one, lets:

  • Remove the ignoreHTTPSErrors flag
  • Document the use of --no-sandbox flag and the firejail sandboxing in the project page or wikitech docs
Jhernandez moved this task from Needs triage to Tracking on the Product-Infrastructure-Team-Backlog-Deprecated board.Jan 15 2019, 11:35 AM
Jdlrobson moved this task from Incoming to Needs Prioritization on the Web-Team-Backlog board.Jan 15 2019, 3:54 PM
pmiazga moved this task from Needs Prioritization to Upcoming on the Web-Team-Backlog board.Jan 15 2019, 4:50 PM
pmiazga updated the task description. (Show Details)Jan 15 2019, 5:42 PM
ovasileva set the point value for this task to 3.Jan 15 2019, 5:45 PM
ovasileva edited projects, added Web-Team-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q3); removed Web-Team-Backlog.
pmiazga moved this task from To Do to Doing on the Web-Team-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q3) board.Jan 17 2019, 8:04 PM
phuedx assigned this task to pmiazga.Jan 22 2019, 6:12 PM
pmiazga updated the task description. (Show Details)Jan 23 2019, 1:55 PM
pmiazga updated the task description. (Show Details)
pmiazga added a comment.Jan 23 2019, 1:57 PM

We cannot remove the --ignoreHTTPSErrors flag. It was added to the config https://github.com/wikimedia/mediawiki-services-chromium-render-deploy/commit/17fc7bb4cda2e1b408d6289c27685624d35e8714 because:

We use a self-signed certificate for our domains (since the CA is our Puppet). However, that results in Chromium HTTPS errors. Given that Proton cannot communicate with the outside world, it is safe to use the ignoreHTTPSErrors configuration flag since requesting HTML from our appservers is all the service does.

Instead of removing the IgnoreHTTPSErrors flag, I'll document why it is used.

pmiazga added a comment.EditedJan 23 2019, 2:17 PM

Done: https://wikitech.wikimedia.org/wiki/Proton#Puppeteer_configuration

@Tgr @Jhernandez please check the puppeteer config documentation and let me know if it meets your expectations.

pmiazga reassigned this task from pmiazga to Jhernandez.Jan 23 2019, 2:19 PM
pmiazga moved this task from Doing to Ready for Signoff on the Web-Team-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q3) board.
Jhernandez removed Jhernandez as the assignee of this task.Jan 23 2019, 5:12 PM
Jhernandez edited projects, added Product-Infrastructure-Team-Backlog-Deprecated (Kanban); removed Product-Infrastructure-Team-Backlog-Deprecated.
In T213363#4902294, @pmiazga wrote:

... https://wikitech.wikimedia.org/wiki/Proton#Puppeteer_configuration

... please check the puppeteer config documentation and let me know if it meets your expectations.

Moving to our kanban for proof-reading by the devs. Please have a look and provide feedback.

Jhernandez moved this task from To Do to Code Review on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.Jan 23 2019, 5:12 PM
Tgr added a comment.Jan 23 2019, 5:18 PM
In T213363#4902258, @pmiazga wrote:

We use a self-signed certificate for our domains (since the CA is our Puppet).

Which sites are those? Public Wikimedia sites use certificates signed by GlobalSign. Beta uses LetsEncrypt certificates which are technically also not self-signed.

pmiazga moved this task from Ready for Signoff to Blocked on Others on the Web-Team-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q3) board.Jan 23 2019, 5:22 PM
Tgr added a comment.Jan 23 2019, 5:22 PM

(Also if we use self-signed certificates somewhere we could just import those to the cert store of the Chromium instance. Although if Proton will connect to the websites internally, maybe not worth the effort as HTTPS encryption does not play much of a security role anyway. Is that the case for Proton instances in the passive DC, though?)

pmiazga added a subscriber: mobrovac.Jan 23 2019, 5:31 PM

@Tgr - Public Wikimedia sites and Beta certs are set for public domains. Proton render used to access Wikipedia servers using internal network names (as it was inside internal network). The internal servers use the CA generated by Puppet.
Switching between HTTP/HTTPS modes is available via config (the config file has the URL template used to build the article URL).

I checked, and it looks like it's difficult (most probably not possible). Puppeteer doesn't allow to modify browser certificates - if it did - it would be a big security loophole.

@mobrovac can provide more details on this problem.

Tgr added a comment.Jan 23 2019, 7:13 PM

I see. Is there a point in using internal domain names, though? All the resources linked in the page (including some dynamic ones like ResourceLoader URLs) will use the public ones anyway.

(In theory you can programmatically manage certificates through the NSS store. But yeah probably not worth spending a lot of time on.)

pmiazga added a comment.Feb 6 2019, 9:01 PM

I'll ping @mobrovac once again, as he decided to use internal domain names (previously we were using the public domains).

mobrovac added a comment.Feb 7 2019, 12:23 AM

We are currently using the projects' FQDNs in MW API requests becasue this was the only way to get the CSS we needed for the printable version (not sure why that is the case, but that's a problem for another day). So, for the time being, SSL certificates are being honoured by Chromium.

That said, we would like to use the internal domain as this is the standard way to contact the appservers in production.

Tgr closed this task as Resolved.Feb 7 2019, 2:32 AM
Tgr assigned this task to pmiazga.

I'd guess the CSS problem is because CSS (at least some of it) will be loaded from the public domain, whatever URL you use to fetch the page, and then you end up with different domains for the HTML page and the CSS stylesheet, and get in trouble with CSP or CORS or something similar that cares about same-origin restrictions. IMO just using the public URL is less trouble (and means you can also make use of Varnish, although given the URL structure used by Proton I'm not sure that would happen, and with PDF rendering times it probably won't make much difference either way).

That said I think the security impact is minimal here (worst case, an attacker can do a DNS poisoning attack and replace the page HTML, but they would probably have to poison the WMF's own DNS cache for that, and even if they pull it off, Proton should be able to handle malicious content safely) so we can close this task and figure out whether to use the internal hostnames (and consequently whether we need to disable SSL checks in the long run) later.

Jdlrobson moved this task from Blocked on Others to Ready for Signoff on the Web-Team-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q3) board.Feb 21 2019, 5:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits