apparmor – HOW to customize docker container profile to implement fine-grained network access control

1.materials

apparmor policy reference https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#AppArmor_globbing_syntax

2.my profile

#include <tunables/global>profile docker-test flags=(attach_disconnected,mediate_deleted) {

#include <abstractions/base>
deny /data/** rwl,

deny /usr/bin/top mrwklx,

deny /usr/bin/hello mrwklx,

deny network,

file,

capability,

deny network inet tcp,

deny network bind inet tcp src 192.168.1.1:80 dst 170.1.1.0:80,
}

3.my error

syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE

the error comes from the last line which contains specific ip_addr, I test it on ubuntu18.04 and my kernel version is 5.4.0-42-generic, apparmor version is 3.0.1 which I compiled from source.

PHP and Nginx on docker, curl get Connection refused in php container

I am working in a local environment with docker.
I have an nginx web container and a php container which are in the same network.

I build the php container from my own dockerfile (with phpfpm and phpcli); and, the nginx I compose it in a docker-compose from the nginx:stable hub image.

I have 2 projects: a symfony(http://i-r4y.kaiza.lh/) and a drupal(http://i-z4r4.kaiza.lh/) which runs in it. and the symfony exposes an api which have to be consumed by the drupal. The problem is that an error when I call the symfony from the drupal cURL error 7: Failed to connect to i-r4y.kaiza.lh port 80: Connection refused

I thought it was a configuration of the symfony side api route; like it must be public or accept CORS etc …

but in the php container, when I do curl either the symfony or drupal url, I have the same error.

app@kz-php74:/var/www$ curl http://i-r4y.kaiza.lh
curl: (7) Failed to connect to i-r4y.kaiza.lh port 80: Connection refused
app@kz-php74:/var/www$ curl http://i-z4r4.kaiza.lh
curl: (7) Failed to connect to i-z4r4.kaiza.lh port 80: Connection refused

I checked in the php container that the hosts are present in /etc/hosts

app@kz-php74:/var/www$ cat /etc/hosts | grep i-
127.0.0.1   i-r4y.kaiza.lh
127.0.0.1   i-z4r4.kaiza.lh

Here is the docker-compose.yml :

version: '2.4'

services:
  php7.4:
    build:
      context: ../../../dockerfile
      dockerfile: Dockerfile.php
      args:
        PHP_VERSION: 7.4
    container_name: "kz-php74"
    hostname: "kz-php74"
    user: 1000:1000
    working_dir: /var/www
    volumes:
      - "${LOCAL_PATH}/../www:/var/www"
    extra_hosts:
      - "i-r4y.kaiza.lh:127.0.0.1"
      - "i-z4r4.kaiza.lh:127.0.0.1"
    networks:
      - kz_local

  mysql:
    container_name: kz-mysql
    image: mariadb:10.4.0
    volumes:
      - ${LOCAL_PATH}/.data/mariadb:/var/lib/mysql
      - ${LOCAL_PATH}/config/mariadb/conf.d/custom.cnf:/etc/mysql/conf.d/custom.cnf
      - ${LOCAL_PATH}/../www:/var/www
    ports:
      - ${MYSQL_PORT:-3306}:3306
    environment:
      MYSQL_ROOT_PASSWORD: password
    networks:
      - kz_local

  web:
    image: nginx:stable
    container_name: kz-web
    volumes:
      - ${LOCAL_PATH}/config/nginx/conf.d:/etc/nginx/conf.d
      - ${LOCAL_PATH}/../www:/var/www
    ports:
      - 80:80
    networks:
      - kz_local

networks:
  kz_local:
    external: true

The nginx config of drupal:

server {
    listen 80;
    listen (::):80;
    server_name i-z4r4.kaiza.lh;

    root /var/www/i-z4r4/web;

    resolver 127.0.0.11 ipv6=off;
    
    location @rewrite {
        rewrite ^/(.*)$ /index.php?q=$1;
    }

    # In Drupal 8, we must also match new paths where the '.php' appears in
    # the middle, such as update.php/selection. The rule we use is strict,
    # and only allows this pattern with the update.php front controller.
    # This allows legacy path aliases in the form of
    # blog/index.php/legacy-path to continue to route to Drupal nodes. If
    # you do not have any paths like that, then you might prefer to use a
    # laxer rule, such as:
    #   location ~ .php(/|$) {
    # The laxer rule will continue to work if Drupal uses this new URL
    # pattern with front controllers other than update.php in a future
    # release.
    location ~ '.php$|^/update.php' {
        set $fastcgi_pass "kz-php74:9000";

        fastcgi_split_path_info ^(.+?.php)(|/.*)$;
        # Security note: If you're running a version of PHP older than the
        # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
        # See http://serverfault.com/q/627903/94922 for details.
        include fastcgi_params;
        # Block httpoxy attacks. See https://httpoxy.org/.
        fastcgi_param HTTP_PROXY "";
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_intercept_errors on;
        fastcgi_pass $fastcgi_pass;
    }

  ...

}

For symfony:

server {
    listen 80;
    listen (::):80;
    server_name i-r4y.kaiza.lh;

    root /var/www/i-r4y/public;

    resolver 127.0.0.11 ipv6=off;

    location / {
        # try to serve file directly, fallback to index.php
        try_files $uri /index.php$is_args$args;
    }

    location ~ ^/index.php(/|$) {
        set $fastcgi_pass "kz-php74:9000";

        fastcgi_pass $fastcgi_pass;
        fastcgi_split_path_info ^(.+.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTPS on;
    }

    location @rewriteapp {
        rewrite ^(.*)$ /app.php/$1 last;
    }
...
}

will anyone have any idea why this is not working?

thanks

upgrading – The “twig” service or alias has been removed or inlined when the container was compiled. Upgrade Drupal 8.9.13 to 9.0.11

I’m trying to upgrade Drupal 8.9.13 to 9.0.11 in my local setup (Windows & xampp). I have upgraded all the contributed modules which supports for Drupal 9. When I try to upgrade core, got below error.

The website encountered an unexpected error. Please try again later.
SymfonyComponentDependencyInjectionExceptionServiceNotFoundException: The “twig” service or alias has been removed or inlined when the container was compiled. You should either make it public, or stop using the container directly and use dependency injection instead. in SymfonyComponentDependencyInjectionContainer->make() (line 275 of vendorsymfonydependency-injectionContainer.php).

After google got something similar then tried to upgrade 9.2 then also faced same same issue.
https://www.drupal.org/project/drupal/issues/3161889

java – Should you use your own implementation of inversion of control instead of a dependency injection container?

Writing your custom implementation of dependency inversion is a great way to teach yourself the concepts. However, in a real world scenario, using a framework to take care of that for you will almost always be the better option. It’s almost, because as always, there are situations in which you will need to rely on your own implementation. E.g. when programming something for an embedded system which cannot accommodate the entire framework, due to the system’s HW restrictions.

There’s really nothing wrong with using Spring even for small projects, it being as popular as it is. It’s true that Spring is capable of a lot of stuff and it may seem like you’re bringing too much into the project right from the start. If that’s not your preference, you could grab a framework which deals solely with the IoC problem, e.g. Google’s Guice. However be advised, Spring, although heavy, prepares the ground for your project to seamlessly grow into something bigger, without you needing to change the underlying technology, as Spring has a lot to offer even for enterprise level applications.

aws – Sandboxing inside a docker container?

I realise on the face of it this may seem like a silly question. However, AWS released AWS Nitro which we’ve been playing around with quite a lot. Unlike hardware-based enclaves (Intel SGX, etc) which offer hardware partitioning, AWS Nitro is a sort of hardware/software hybrid approach towards a trusted execution environment. In essence, you push into the enclave a docker container and can verify the container that decrypts your data via a proxy to the KMS.

I am prototyping an idea I had around running a sandbox within the Nitro container to test untrusted code in an isolated environment on sensitive data. I have a fair amount of proprietary orchastration within the Nitro container, but in short, would like to run a secure sandbox within the enclave.

Typically I know we would never run a sandbox within a docker container. However, given the setting, are there any open-source or commercial tools that might help me to achieve this? My fear is that I can install a tool within the container but I have (at least) 3 layers of abstraction (the VM, the container, the sandbox), will this cause any issues other than performance?

Any advice warmly welcomed 🙂

How could I make my docker container connect to a proxy?

I am running docker 19.03 on Ubuntu 16.04. There is a V2ray client being built these days.

Now I have problems on how to make my container connect to that proxy. I have read some questions on StackOverflow like this or this. And I have also read official documents on this. Those help me a lot but not enough.
Now my questions are following:

  1. Those documents mentioned to configure the Docker client. Like modify ~/.docker/config.json file. This is a once and for all method. But it will effect on the containers those are created after I modified the file and restarted docker. I have some other containers running now and I just want only this container to connect to the proxy because the proxy is unstable and I don’t want the proxy to affect the work of other containers. So this scheme cannot be used.
  2. Those documents also mentioned that we can set environment variables to make a container connect to a proxy. For example, when using command docker run, we can add -env HTTP_PROXY="http://localhost:1080/" to force the container to connect to the proxy. But there be only two examples on command docker run and Dockerfile. I used docker-compose to build my container. I have added environment item to my docker-compose file, but it doesn’t work. So I have no idea about how to do that when using docker-compose.

My docker-compose.yml file is following:

version: '3.5'
services:
  openethereum:
    image: openethereum/openethereum
    container_name: openethereum
    volumes:
      - /mnt/pgdata/ETH:/home/openethereum/.local/share/io.parity.ethereum
    command: --tracing=off --warp-barrier=12088645
    environment:
      HTTP_PROXY: http://172.21.0.1:2080/
      HTTPS_PROXY: https://172.21.0.1:2080/

I use 172.21.0.1 as the ip address of my container to connect to the proxy because I know that the ip adress of this container is 172.21.0.2 and my proxy is listening to all ip addresses. I’m not sure if this is the correct usage, and if there are any problems, thank you for pointing it out.

I installed proxychains on the computer and configured it. When I run command proxychains curl www.google.com, I got a lot of HTML text. But after I
go inside my container by running command docker exec -it openethereum sh, I run command curl www.google.com again. After that I waited for a long time, and finally it told me that the address could not be resolved.

Thank you very much for reading my question, if you have any solutions, and thank you for sharing your solutions.

c++ – Is it possible to use a windows container running MSVC/CMake as a docker based devcontainer with vscode?

We have windows containers building C++/CMake targets in CI. Is it possible to connect to these containers with

https://code.visualstudio.com/docs/remote/remote-overview

Containers:
x86_64 / ARMv7l (AArch32) / ARMv8l (AArch64) Debian 9+, Ubuntu 16.04+, CentOS / RHEL 7+
x86_64 Alpine Linux 3.9+

the doc says only linux based containers. We would love to connect and debug failures on the remote windows containers if possible.

security – How to prevent docker container from accessing my local network?

I have some website in Docker containers running on my NAS and exposed to the outside world via port forwarding. I thought that is rather save, because even if the container gets hacked, no big deal. But I noticed that when I get access to my docker containers, I am basically inside my local network. I can then use different less secure ports on my computers or NAS, which I purposely have not exposed to the outside world.

Is there a way to prevent my docker containers from accessing my local network?

Preferably a solution with onboard tools from Synology DSM or Docker.

themes – removing side space between para and container on generatepress?

You can always use the “Inspect Tool” in your browser to see the details of the object (structure and style). Though I checked your page and didn’t see anything wrong with it. As you can see in the list in the top of your picture, the last item has a few space.

Another point is in the beginning of the line, all words start in the same place and the left padding would be OK. But since all the words does not have the same length and they can be half-written in the end of the line, so the long words may be placed on the next line. This way some lines might be shorter and some lines might be longer and you think that there’s something wrong with the space ( As you can see in the “Power” paragraph and the last 3 lines ).