Page MenuHomePhabricator
Create Task
Maniphest T252745

Sandbox/limit child processes within a container runtime
Closed, ResolvedPublic
Actions

Description

We have various cases where we want an application to check/parse/transform some form of untrusted binary input (be it an image, a video, a postscript/pdf, etc), and we just execute another binary to handle the actual transformation.

We want the application secrets not to be easily accessible from said binary, and traditionally limit execution with a combination of firejail profiles and (from MediaWiki) limit.sh.

It appears that firejail doesn't work well out of the box within docker (see https://github.com/netblue30/firejail/issues/2579), and limit.sh seems to rely on the ability to modify the global cgroup hierarchy, which I doubt works within any container runtime.

We need to find alternatives or this will block at least moving thumbor and MediaWiki to k8s.

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedJoeT252745 Sandbox/limit child processes within a container runtime
 ResolvedtstarlingT260330 RFC: PHP microservice for containerized shell execution
 ResolvedjeenaT261369 Deployment infrastructure for PHP microservices
 ResolvedjeenaT261783 Blubber composer/PHP support
 ResolvedLegoktmT270660 Set up PHP security scanning for Shellbox
 ResolvedLegoktmT263295 Setup Git repo and CI for shellbox
 ResolvedhasharT263313 Provide a job template for phan jobs for php libraries
 Resolved dduvallT270654 Cannot publish Shellbox image due to uppercase letter
 ResolvedLegoktmT270656 Shellbox PHPUnit coverage job is failing
 OpenNoneT263545 Decide on logging in k8s for ShellBox
 ResolvedBPirkleT263816 Provide direct access to a Guzzle HTTP client
 ResolvedtstarlingT267531 Shellbox Windows support
 ResolvedtstarlingT267532 Shellbox MediaWiki integration
 ResolvedtstarlingT267530 Shellbox command validation
 OpenNoneT268427 Make Shellbox actually do streaming
 OpenNoneT271179 Have Shellbox emit metrics
 ResolvedDaimonaT273965 Add taintedness data for new methods in Shellbox
 ResolvedLegoktmT281423 New Service Request Shellbox
 ResolvedJoeT271822 Add support for scraping php applications to the kubernetes prometheus scraper
 ResolvedJoeT283774 httpd-fcgi image is failing validation using its own test.sh
 ResolvedLegoktmT286384 Benchmark Shellbox
 OpenNoneT261277 Create a gateway in kubernetes for the execution of our "lambdas"
 ResolvedJoeT286196 Evaluate contour as an ingress
 ResolvedJoeT286197 Evaluate nginx-controller as an Ingress
 ResolvedJMeybohmT287007 Evaluate istio as an ingress for production usage
 ResolvedJMeybohmT290966 Implement POC for istio ingress
 ResolvedJMeybohmT290967 kube-apiserver need to reach webhooks running inside of the cluster
 ResolvedelukeyT299634 Create a partman config for kubernetes masters
 ResolvedJMeybohmT294560 Automate issuing of TLS certificates in kubernetes clusters
 ResolvedJMeybohmT295385 Provision TLS certificates for k8s services in istio-system namespace
 ResolvedJMeybohmT300740 Provide a convenient way to connect to services in kubernetes staging clusters
 DeclinedNoneT301137 Have PyBal monitor Istio-Ingressgateway health
 OpenjijikiT302717 Use ingress for linkrecommendation
ResolvedJMeybohmT303184 High API server request latencies (LIST)
ResolvedJMeybohmT305358 service::catalog entries and dnsdisc for Kubernetes services under Ingress

Event Timeline

Joe created this task.May 14 2020, 7:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 14 2020, 7:56 AM
Marostegui triaged this task as Medium priority.May 18 2020, 12:41 PM
Marostegui moved this task from Backlog to Acknowledged on the SRE board.
MoritzMuehlenhoff subscribed.May 18 2020, 12:56 PM
Joe mentioned this in T258978: Service operations setup for Add a Link project.Jul 28 2020, 1:39 PM
jijiki moved this task from Incoming 🐫 to 🔦Unused2 on the serviceops board.Aug 17 2020, 11:45 PM
Lucas_Werkmeister_WMDE subscribed.Aug 18 2020, 10:36 AM
akosiaris subscribed.Sep 1 2020, 5:21 PM
Joe added a project: MW-on-K8s.Sep 14 2020, 5:28 AM
Krinkle closed subtask T260330: RFC: PHP microservice for containerized shell execution as Resolved.Dec 9 2020, 9:24 PM
tstarling reopened subtask T260330: RFC: PHP microservice for containerized shell execution as Open.Dec 10 2020, 4:29 AM
tstarling closed subtask T260330: RFC: PHP microservice for containerized shell execution as Resolved.Jul 21 2022, 2:48 AM
jijiki moved this task from 🔦Unused2 to 🙈🙉🙊Backlog on the serviceops board.Nov 7 2022, 9:49 PM
Joe closed this task as Resolved.Nov 8 2022, 5:22 PM
Joe claimed this task.

This task can be considered resolved given we've deployed shellbox.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL