anybox
sshd zombie process
On each new connection a process is spawned by sshd even the user is not connected.
I guess the zombie process is hold by the docker entrypoint itself ?!
- We should offer a way to let custom sshd config by adminsys binding
/etc/ssh/sshd_configto allow listening sshd only on secure network interface - We should bind sshd logs somewhere to let adminsys to configure some fail2ban like apps
- We must close zombie processus properly
- We should build this image automatically in order to upgrade software inside
We may want to split those points in different tickets !
alias drunc="sudo docker-runc --root /run/docker/plugins/runtime-root/plugins.moby/"
ID PID STATUS BUNDLE CREATED OWNER
d30ed7a4b80dd08518ece46a7bfe30c1b2dd90b26971f88b93e3de591c777475 1182 running /run/docker/libcontainerd/containerd/io.containerd.runtime.v1.linux/plugins.moby/d30ed7a4b80dd08518ece46a7bfe30c1b2dd90b26971f88b93e3de591c777475 2018-12-08T23:24:05.98669913Z root
drunc exec d30ed7a4b80dd08518ece46a7bfe30c1b2dd90b26971f88b93e3de591c777475 ps -aux | wc -l
8774
short howto after host restart to add stop outside connections:
sudo iptables-save > iptable-save-`date "+%Y-%m-%d"`; cp iptable-save-`date "+%Y-%m-%d"` iptable-fix
edit iptable-fix adding the filter rule:
-A INPUT -i enp1s0f0 -p tcp --destination-port 1122 -j DROP
controle:
mlf@tayt ~ $ diff -C 10 iptable-save-`date "+%Y-%m-%d"` iptable-fix
*** iptable-save-2018-12-10 Mon Dec 10 23:55:17 2018
--- iptable-fix Mon Dec 10 23:57:36 2018
***************
*** 46,65 ****
--- 46,66 ----
*filter
:INPUT ACCEPT [41182:4904764]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29470:18318889]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:sshguard - [0:0]
-A INPUT -j sshguard
+ -A INPUT -i enp1s0f0 -p tcp --destination-port 1122 -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker_gwbridge -j DOCKER
-A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT
-A FORWARD -o br-ab07140fdde8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables-restore -c < iptable-fix
Looks like a common problem on containers, that was fixed by adding a --init option to docker run, but probably not fixed for docker plugins? Anyway I just tested using tini and it solves the problem. I'm releasing a new version now.
Just released version 3.6 with the fix for zombie processes. Already using it in production on a small server. I checked that incoming ssh connections don't create zombie processes.
yes I use dumb-init project in some projects for same raisons with quite same article.
thanks for upgrading, no risk to upgrade while some anybox/buttervolume:latest present on the server ?
hum, not all point mentioned:
- [ ] We should offer a way to let custom sshd config by adminsys binding /etc/ssh/sshd_config to allow listening sshd only on secure network interface
- [ ] We should bind sshd logs somewhere to let adminsys to configure some fail2ban like apps
- [x] We must close zombie processus properly
- [ ] We should build this image automatically in order to upgrade software inside