John Kinsella jlk

## gist:b89fb9d54285b3c76a2145bb70349e47

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                jlk
                / gist:b89fb9d54285b3c76a2145bb70349e47
            
            
              Last active
              August 25, 2021 16:36
            
              
                TAG Security Secpals notes
              
          
    (8/25/21 I've moved this to cncf/tag-security#554 (comment))
This is meant as an overview of the Security Pals project to help get people up to speed.
Goal

This is a TAG Security pilot to smoothe the security aspects of onboarding a new CNCF project. The "security pals"
act as a friendly initial point of contact, help projects understand what the security self assessment is, and act as a security guide/mentor through the assessment. In a nutshell, we don't expect the average open source project to have application security expertise, so we reach out with an offer to assist as we can.
Initial Projects


Artifact Hub


## gist:41d6ae2e001af775b27cab820457e28b
$ docker run --rm -ti ubuntu
root@d32d4c8e1efc:/# wget https://my-netdata.io/kickstart.sh
bash: wget: command not found
root@d32d4c8e1efc:/# apt update
Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
Get:3 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [1113 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:5 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [905 kB]
Get:6 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [10.1 kB]

## gist:6bd5c49318d86e05888622ff24a2efcf
### Keybase proof

I hereby claim:

  * I am jlk on github.
  * I am jlk (https://keybase.io/jlk) on keybase.
  * I have a public key ASDNEhj2b_r97PVuc87t7xxnwP0Tp3TeYdiH2NqMc5kCJgo

To claim this, I am signing this object:

## basic grafana composition
  version: '3'
  services:
    grafana:
      image: grafana/grafana:4.1.2
      ports:
        - "8085:3000"
      volumes:
        - /data/grafana:/var/lib/grafana
      logging:
        - driver: gelf

## grafana compose on Docker swarm mode
# Traefik started with
#   docker service create --constraint=node.role==manager --publish 80:80 --publish 443:443 --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock --network traefik-internal traefik --docker --docker.swarmmode --docker.domain=traefik --docker.watch --web
# running this with docker stack deploy --compose-file docker-compose-swarm.yml  grafana

  version: '3'
  services:
    grafana:
      image: grafana/grafana:4.1.2
      ports:
        - "8085:3000"

## gist:f54a0f67ed842161a28c166c42713911
  version: '2'
  services:
    db:
      container_name: mariadb
      image: mariadb:5.5
      ports:
        - 3306
      cap_add:
        - SYS_PTRACE
      security_opt:

## blah.
$ unzip ../procps-3.3.9-r3.apk
Archive:  ../procps-3.3.9-r3.apk
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of ../procps-3.3.9-r3.apk or
        ../procps-3.3.9-r3.apk.zip, and cannot find ../procps-3.3.9-r3.apk.ZIP, period.

## gist:e2e57c18ef085e7403cb7fc38cf20ed4
# flockerctl --control-service=swarm-master list
DATASET                                SIZE     METADATA       STATUS     SERVER
ea8748d1-26e9-4569-b1dd-d31e018b162c   75.00G   name=oranges   deleting   <missing>

## gist:b65863ea3aabf5bb1c1084422ba76214
- hosts: tag_Name_swarm_node
  user: ubuntu
  become: yes
  vars:
    - swarm_manager_ip: "{{ tag_Name_swarm_node[0] }}"
  roles:
    - swarm_node

## gist:3ca9206a6391f9abf895631d252c6c09
2016-04-14 14:21:09,623 ERROR [:] [] [] [] [ServiceReplay-9] [i.c.p.e.e.i.ProcessEventListenerImpl] Unknown exception running process [instance.start:16354] on [245] java.lang.IllegalStateException: Attempt to cancel when process is still transitioning
        at io.cattle.platform.engine.process.impl.DefaultProcessInstanceImpl.runDelegateLoop(DefaultProcessInstanceImpl.java:191) ~[cattle-framework-engine-0.5.0-SNAPSHOT.jar:na]
        at io.cattle.platform.engine.process.impl.DefaultProcessInstanceImpl.executeWithProcessInstanceLock(DefaultProcessInstanceImpl.java:158) ~[cattle-framework-engine-0.5.0-SNAPSHOT.jar:na]
        at io.cattle.platform.engine.process.impl.DefaultProcessInstanceImpl$1.doWithLock(DefaultProcessInstanceImpl.java:108) ~[cattle-framework-engine-0.5.0-SNAPSHOT.jar:na]
        at io.cattle.platform.engine.process.impl.DefaultProcessInstanceImpl$1.doWithLock(DefaultProcessInstanceImpl.java:105) ~[cattle-framework-engine-0.5.0-SNAPSHOT.jar:na]
        at io.cattle.platform.lock.impl.Abstra
	$ docker run --rm -ti ubuntu
	root@d32d4c8e1efc:/# wget https://my-netdata.io/kickstart.sh
	bash: wget: command not found
	root@d32d4c8e1efc:/# apt update
	Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
	Get:2 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
	Get:3 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [1113 kB]
	Get:4 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
	Get:5 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [905 kB]
	Get:6 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [10.1 kB]
	### Keybase proof

	I hereby claim:

	* I am jlk on github.
	* I am jlk (https://keybase.io/jlk) on keybase.
	* I have a public key ASDNEhj2b_r97PVuc87t7xxnwP0Tp3TeYdiH2NqMc5kCJgo

	To claim this, I am signing this object:
	version: '3'
	services:
	grafana:
	image: grafana/grafana:4.1.2
	ports:
	- "8085:3000"
	volumes:
	- /data/grafana:/var/lib/grafana
	logging:
	- driver: gelf
	# Traefik started with
	# docker service create --constraint=node.role==manager --publish 80:80 --publish 443:443 --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock --network traefik-internal traefik --docker --docker.swarmmode --docker.domain=traefik --docker.watch --web
	# running this with docker stack deploy --compose-file docker-compose-swarm.yml grafana

	version: '3'
	services:
	grafana:
	image: grafana/grafana:4.1.2
	ports:
	- "8085:3000"
	version: '2'
	services:
	db:
	container_name: mariadb
	image: mariadb:5.5
	ports:
	- 3306
	cap_add:
	- SYS_PTRACE
	security_opt:
	$ unzip ../procps-3.3.9-r3.apk
	Archive: ../procps-3.3.9-r3.apk
	End-of-central-directory signature not found. Either this file is not
	a zipfile, or it constitutes one disk of a multi-part archive. In the
	latter case the central directory and zipfile comment will be found on
	the last disk(s) of this archive.
	unzip: cannot find zipfile directory in one of ../procps-3.3.9-r3.apk or
	../procps-3.3.9-r3.apk.zip, and cannot find ../procps-3.3.9-r3.apk.ZIP, period.
	# flockerctl --control-service=swarm-master list
	DATASET SIZE METADATA STATUS SERVER
	ea8748d1-26e9-4569-b1dd-d31e018b162c 75.00G name=oranges deleting <missing>
	- hosts: tag_Name_swarm_node
	user: ubuntu
	become: yes
	vars:
	- swarm_manager_ip: "{{ tag_Name_swarm_node[0] }}"
	roles:
	- swarm_node
	2016-04-14 14:21:09,623 ERROR [:] [] [] [] [ServiceReplay-9] [i.c.p.e.e.i.ProcessEventListenerImpl] Unknown exception running process [instance.start:16354] on [245] java.lang.IllegalStateException: Attempt to cancel when process is still transitioning
	at io.cattle.platform.engine.process.impl.DefaultProcessInstanceImpl.runDelegateLoop(DefaultProcessInstanceImpl.java:191) ~[cattle-framework-engine-0.5.0-SNAPSHOT.jar:na]
	at io.cattle.platform.engine.process.impl.DefaultProcessInstanceImpl.executeWithProcessInstanceLock(DefaultProcessInstanceImpl.java:158) ~[cattle-framework-engine-0.5.0-SNAPSHOT.jar:na]
	at io.cattle.platform.engine.process.impl.DefaultProcessInstanceImpl$1.doWithLock(DefaultProcessInstanceImpl.java:108) ~[cattle-framework-engine-0.5.0-SNAPSHOT.jar:na]
	at io.cattle.platform.engine.process.impl.DefaultProcessInstanceImpl$1.doWithLock(DefaultProcessInstanceImpl.java:105) ~[cattle-framework-engine-0.5.0-SNAPSHOT.jar:na]
	at io.cattle.platform.lock.impl.Abstra