Erethon’s corner

Random thoughts of mine

Can We Really Trust the Official Docker Images?

Yeap, this is another rant on the security practices of Docker users. Like we didn’t have enough of those already.

I recently revamped the CI system we use at my workplace. I ended up using a combination of Phabricator, Jenkins, Docker and the Docker registry, but more on this on another blogpost. Since I made heavy use of Docker for all of the above, I started poking around the Dockerfiles that are used to create the ‘official’ Docker images for a bunch of projects. I didn’t like what I saw.

I generally expect downloads for software to be either:

a) signed using a trusted key
b) if not signed, at least downloadble through `https`

if both of the above are missing, I refuse to download said software. It still surprises me that widely used software like nw.js offer none of the above.

It’s sad to see the same thing happening with official Docker images.

This is an example of a good Dockerfile, a Debian repo (hosted by Mongo) is used to download MongoDB and the .debs are signed using a trusted key. Moreover, gosu is also verified using gpg. Note: this means the gosu developer must be trusted to not backdoor his software, otherwise you have to verify the download in some other way, like a sha256sum.

This and this are examples of what I consider insecure Dockerfiles. In the first example, works with SSL just fine, why not use it by default? If the certificate of the site isn’t valid -as it appears to be in the second link (SHA1 cert?)- just download the file from multiple sources, get its sha256sum and use it to verify the download.

All in all, while I believe that Docker is an amazing tool, I don’t think a lot of its users are taking security seriously or into consideration at all. Personally, I wouldn’t trust the official Docker images before taking a look at their respective Dockerfile and verifying that everything is to my taste.

Using Msmtp to Handle Mail Delivery

Following the example of GKH and others, I’ve added one more piece of software on my email setup and workflow. That piece is msmtp, a very simple and lightweight SMTP client, that integrates really well with the rest of my setup.

At its core, msmtp does one thing. It gets mail from a MUA -in my case mutt- and relays it to a remote SMTP server. Its strength lies in its configuration file. All of its options can be set per account, which means, that it’s easy to achieve complex tasks. E.g., you can have two accounts use no proxy, a couple more use a remote machine through a SOCKS proxy and a super private one use TOR.

Another thing I really like about it, is the “fine tuning” it allows you to do in regards with TLS. It gives you the ability to pin TLS certificates to each account or even set the minimum number of Diffie-Hellman prime bits for TLS sessions.

There are also some scripts based on msmtp that allow you to queue emails if you don’t have internet access, e.g. when on a plane, review them later on and send them once you’re connected again.

All in all, if any of the above sound useful to you, give msmtp a try. I promise you won’t regret it.

On Proper Git Commit Messages and Frequent Git Pushes

Note: this is a rant on how people use git.

When I was introduced to git, I was told I should read this great post on git commit messages by Tim Pope. Ever since, I’ve been trying to follow that system in all of my commits across all projects.

Yesterday, I decided to switch from awesome to dwm. I tried to apply one of the available dwm patches, only to notice it doesn’t work with the latest version of dwm. So, I decided to have a look at the source and try to troubleshoot it myself. Running git log I was faced with this commit history:

cdec978 - applied Lukas' focus suggestion at startup, thanks (1 year, 7 months ago)
d83454f - applied Peters two patches, please test hg tip, if nothing breaks this is 5.9 (3 years, 9 months ago)
27b0142 - applied Garys patch in a slightly modified way (3 years, 9 months ago)
867ba36 - applied Nicolas Capit's patch as interim solution until the multiscreen support is reworked in 6.0 (3 years, 9 months ago)

This is just an excerpt, but these commits messages provide no information on what was changed, how it affects the code base or any valuable input of any kind.

In the end, I’ll probably use git bisect to troubleshoot this issue, but it would be nice and helpful if I could get some extra information from the commit history.

Update: for the record, the bug was in my config.h after all.

Another common pitfall I see often, is that people don’t realise that git is decentralized. Being decentralized means, you can code on your computer, use git add - git commit, test everything and once you’re satisfied with the output and are SURE that everything works as expected, then AND ONLY then, push to the upstream repo. Otherwise, you end up with multiple commits for something that could be squashed in a single commit.

On big projects like the Linux kernel or QEMU, you’ll often see patches that are sent multiple times before being merged, just to address the above issues. Unfortunately, this doesn’t seem to be a big deal for a lot of newer and smaller projects.

NotMuch Is Awesome

In one of my previous posts, I explained my email setup in detail. Since then I’ve added one more piece of software on the “stack”. It’s called NotMuch and it’s an email indexer.

After email is saved locally, thanks to offlineimap, it gets indexed by NotMuch in order to be searchable. NotMuch supports tags, uses Xapian for searches which means it supports stemming and is super quick and lightweight.

I’ve integrated mutt with NotMuch using the notmuch-mutt package on Debian, mutt-notmuch-py (although this can be done in many - simpler - ways) and a couple of lines on my .muttrc. I use / to search all of my emails when I’m on the index view of mutt and I to display a whole thread once I find the particular email I’m looking for.

Give NotMuch a try, after all it’s not much of an effort to set it up :)

My Mail Setup Using Mutt/OfflineIMAP/imapfilter

Update 17/03/2015: I’m also using NotMuch now, for more info check out this post.

Update 2/6/2015: I’ve added msmtp to the mix, check out my new post about it.

This is part of a series of posts where I describe my workflow and OS setup.

I use email a lot both in work and my daily life, so I want/need to have a lot of control on my mail. I use IMAP for getting my email for all my accounts and SMTP to send mails.

My mail client of choice is Mutt, which is a fully featured text based (terminal) MUA. Mutt has a nice interface (supports colors), it can read the maildir mailbox format (more on that later), uses an external editor for writing email (I use Vim), supports gpg/pgp, etc. In short, it’s not lacking any features compared to a GUI client.

You can use Mutt to connect to an IMAP server and have Mutt fetch your mail, but I prefer to use OfflineIMAP which is written in Python. OfflineIMAP syncs my mails from multiple remote servers to the local filesystem in maildir format. It also supports syncing between IMAP servers but I don’t need that kind of functionality. The configuration file of OfflineIMAP is simple, clean, powerful and intuitive if you’ve used Python before.

Depending on the machine I’m working on, I only sync specific IMAP folders. Here is the part of my .offlineimaprc file responsible for selecting the folders to be sync’ed.

folderfilter = lambda folder: folder in ['INBOX',

As always you can find my dotfiles on my GitHub account.

There is one more piece of software involved on my email setup and that is imapfilter, a utility to filter/sort emails on the remote IMAP server. It’s written in a combination of C and Lua and its configuration file is using Lua too. You can filter mails based on a number of different fields like CC, To, From, Subject, etc. There is not much more to say about it actually, it does one job and it does it well and fast.

Here is a diagram of the above setup (created with asciio):

                       Mutt sends mail using SMTP
          |                                                       ^
          |                                                       |
          v                                                       |
     .-,(  ),-.                                                   |
  .-(          )-.        .-------------.     .--------.      .------.
 (  Mail Servers  )<----->. OfflineIMAP .---->. ~/mail .<-----. Mutt .
  '-(          ).-'       '-------------'     '--------'      '------'
      '-.( ).-'        Fetch mails on ~/mail                 Read mails
          ^            and sync their status                 from ~/mail
          |            with the remote server
   . imapfilter .
imapfilter constantly filtering mails

Deploying Kippo With Ansible

I’ve been running some instances of Kippo for quite some while now with great results. I recently wrote an Ansible playbook to automate the process of deploying Kippo hosts and also make it scalable. You can find the playbook on my GitHub page, specifically here.

In a nutshell, the playbook will deploy a central database for all the Kippo hosts to log incoming attacks and then deploy a number of Kippo hosts. You can specify which repo to clone Kippo from or do ad-hoc file modifications to files in the repo. For example, I’ve modified some commands like wget.

A couple of weeks ago, GitHub announced its Student Pack, giving 100$ of credit on DigitalOcean, which I promptly grabbed. Two nights ago, I decided to use the credit on building a small cluster of SSH honeypots, consisting of twelve Kippo hosts. Of course, the whole project was orchestrated using Ansible.

My Tmux Config and a Small Tmux Primer

It’s been a little over a month since I started using tmux. Below, I’ll try to explain most of my .tmux.conf, a bit of my current workflow using awesome + tmux and various cool stuff you can do with tmux. My latest .tmux.conf can be found on my dotfiles repo on GitHub.

Tmux config file

unbind C-b
set -g prefix C-a

As most people, I’m using C-a as my bind key.

bind-key a send-prefix

Updating Tmux Without ‘Killing’ Active Sessions

I’ve been using tmux for a while, and even though I didn’t like it at first, now I’m in love with it. I’m mostly using it as a GNU Screen alternative, but I don’t use some of its fancy features like tabs, mainly because my window manager takes care of multiple terminal windows for me.

After a while, I got bored of starting a tmux session and configuring it every time, so I decided to give tmuxinator a try. The tmuxinator docs clearly stated that tmux >= 1.8 was needed, but I was using tmux version 1.6. I downloaded the latest stable tmux version from upstream, compiled it, installed it and tried to run it. I was greeted with this message:

protocol version mismatch (client 8, server 6)

What happened is that I had some tmux sessions still running using the 1.6 version. The obvious, and only, solution that came to my mind was to kill all running tmux sessions. Problem was, one of those sessions had my Irssi stuff open and, since I have yet to properly setup an irssi config file, I would have to reconnect to all servers, re-authenticate, rejoin all open channels, etc. Ain’t nobody got time for that.

Enter reptyr. Copying reptyr’s description:

reptyr is a utility for taking an existing running program and attaching it
to a new terminal. Started a long-running process over ssh, but have to
leave and don't want to interrupt it? Just start a screen, use reptyr to
grab it, and then kill the ssh session and head on home.

So, all I had to do was open a screen, detach the irssi processes from tmux, reattach them to screen using reptyr, kill all running tmux processes, restart the tmux server and, finally, reattach the irssi processes to tmux. Much to my surprise, it worked out flawlessly.

Now all that’s left, is to populate my ~/.tmuxinator config files and push them to my dotfiles.