Just a quick update to tell about a new Docker based on the phocean/msf image.
It provides an image for the BeEF framework for XSS browser exploitation (http://beefproject.com/).
These articles consist in tips to automate or improve the smoothness of repeated professional tasks. If you haven’t, I recommend you to read them.
Some are specific to the Mac OS X environments, but most of time it is easy to find alternative stuff for Linux. By the way, I am thinking of sharing my own tips for Linux some day.
Today, I will start with an article on how I tackled the issues I have with technology watching : too much information, too many sources, too much noise, too much time wasted… Hmm, yes, that’s a lot of issues!
Before, below are the sources that I used to visit plenty of times a day:
So my typical checks consisted in visiting these places subsequently, several times a day. With all the hassle of using different interfaces and the distractions that you can find there, it used to be very time costly and not really efficient.
Typically, I would save interesting topics there (“like” in Twitter, “save” for Feedly…) for a later check. Sometimes I would also use Pocket to read them offline, or a simple PDF export.
As I already said, such a process with many tools is far from ideal and from the Reduce the friction™ theory.
Netvibes is a Web platform allowing to gather many kinds of contents within dashboards. It is in fact possible to use it as a news aggregator like Feedly, but it has much more capabilities.
First, it can handle sources from various technologies or social media actors (at least, major ones are supported):
After adding some sources (they call them applications), you can get a classic feed view like below:
Nice! We now have a lot of stuff in one place and you can easily distinct what you have read or not (which is not easy to achieve in Twitter, for instance).
Then, similar to what IFTT offers, you can create automated actions easily.
Here are some of the supported triggers:
Based on a trigger like marking an article from within Netvibes, I can decide to send that article to Pocket or by e-mail for offline reading:
I have also another action: when a new post appears on a subreddit, I also send it to Pocket.
The possibilities, while not yet infinite, are huge.
You can do a lot with the free version, but for 2€ a month, you get content indexing to quickly find back some items in your feeds. I took this option, as it is useful but also as it is a way to support this project.
There is a premium offer, by far more expensive, but it is not really aimed to individual (analytics and collaborative features). See this page for more information.
I have tried, I believe, all possible alternatives. Including integrating Feedly with IFFT, which is nice but does not solve the issue of reading many sources.
Netvibes is so far very interesting and powerful. It is not perfect, however.
Sometimes the interface is a little clumsy or cumbersome. I also miss a mobile application (for Android), even though the mobile HTML 5 interface is not that bad (http://mobile.netvibes.com).
Finally, I could not find a way to republish a dashboard feed as RSS, so that I could use a mobile reader. Let’s hope that this powerful tool will continue to improve, and for that I hope it gains in popularity.
I pushed the image on Docker Hub, so that deploying it is now as easy as:
docker pull phocean/msf
It is an automatic build based on the Github repository.
It means that the image is built by Docker, not by me. For this task, they simply have a read access to the Dockerfile on Github.
Thus, you may place in this image the same level of trust than the one you have in Docker (I cannot interfere in the process and mess with the image).
I say it because I am myself reluctant of installing third-party images. While I prefer to rebuild everything from Dockerfiles, I am fine with automatically built images if I am in a hurry and for non sensitive data.
Just a quick note to say that I am very happy about this Metasploit docker image being useful to some people, according to the feedback I got.
And Lenny was kind enough to integrate it into his Linux distro, REMnux, well known among reversing people. He also came up with very good suggestions and helped me to bring some improvements, so many thanks to him.
Don’t miss reading his blog article on how to use the image in REMnux : “Run Metasploit Framework as a Docker Container Without Installation Pains”.
Stay tuned ;-)
I have kept playing with Docker recently, just for fun and to learn.
It is very powerful, but still young. It quickly shows some limit when it comes to security or persistence. There are some workarounds, yet more or less complex, more or less hacky.
Indeed, I had some issues with Etherpad, which is a Nodejs application, and its integration into Docker.
Initially, I made something quite simple, so my Dockerfile ended like that:
USER etherpad CMD ["node","/opt/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js"]
Thus, I simply start the app with a low privileges user.
It worked, but I had two issues:
I decided to tackle these two issues to understand what was going on behind.
I could not understand immediately the first issue: why was Docker unable to terminate the container properly?
After wandering a few hours on wrong paths (trying to get through with Nodejs nodemon or supervisor), I finally found some good articles, explaining that Docker misses an init system to catch signals, wich causes some issues with applications started with a PID = 1, which cannot be killed, or with Bash (the shell doesn’t handle transmitted signals.
I am not going to repeat poorly what has already been explained very well, so I encourage you to read this two excellent posts:
You will also find a lot of bug reports in the Docker github about this issue, and a lot of hacky or overkilling solutions.
In my opinion, the most elegant solution among them is to use a launcher program, very simple and dedicated to catch and handle signal.
I chose to use Dumb-init, as it is well packaged (there are plenty of options) and seems to be well maintained.
So, after installing Dump-init in the Dockerfile, the CMD line should now look like this:
USER etherpad CMD ["dumb-init","node","/opt/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js"]
And indeed, as expected, docker stop now works flawlessly.
This is where I had the toughest issue, although it is supposed to be straightforward with volumes.
Volumes enable to share files or folders between host and containers, or between containers solely. There are plenty of possibilities, nicely illustrated on this blog:
And it works very well…. as long as you application runs as root.
In my case, for instance, Etherpad runs with a low privileged user, which is highly recommended. At startup, it creates a sqlite database, etherpad.db, in its ./var folder.
Mounting a volume, of any kind, over the ./var folder, would result in a folder with root only permissions. Subsequently, of course, the launch of Etherpad from the CMD command would fail miserably.
Simple solutions like chown in the Dockerfile don’t work, because they apply before the mount. The mount occurs at runtime and works like a standard Linux mount: it is created by the docker daemon, with root permissions, over possibly existing data.
My solution was to completely change the way Etherpad is started. I now use an external script which is started at runtime:
So now the Dockerfile ends with:
VOLUME /opt/etherpad-lite/var ADD run-docker.sh ./bin/ CMD ["./bin/run-docker.sh"]
And here is the script:
#!/bin/bash chown -R etherpad:etherpad /opt/etherpad-lite/var su etherpad -s /bin/bash -c "dumb-init node /opt/etherpad-lite/node_modules/ep_etherpad-lite/no de/server.js"
I use a data volume for persistency, so the run command looks like this:
docker run -d --name etherpad -p 80:9001 -v etherpad:/opt/etherpad-lite/var -t debian-etherpad
Far from being ideal, but it works. I really hope some features are coming to bring more options in this area, especially in the Dockerfile.
Globally, we can still hope a lot of improvements in security, because when I look at many Dockerfiles around, I see two behaviors:
It is scary and so far from the Linux philosophy. Let’s wait for the enhancements to come.
You can find the complete updated Dockerfile on this github page.
While we are on this topic, have a look to this nice post with some nice tips and tricks for Docker.
I made a few improvements (at least, I think they are) to the metasploit-frameword Dockerfile :
It is all up-to-date in its github repo. I will keep adjusting it, if I feel something is missing.
I hope I did it the right way, let me know what you think!