<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hello Daniel,<div class=""><br class=""></div><div class="">Sincere apologies for the tardy reply! There are lots of challenges I’ll face, but fortunately I only need to secure the application, it is for others to worry about preventing platform access etc. (but on the hardened OS, I’d be amazed if gdb was available ;).</div><div class=""><br class=""></div><div class="">The -f - solution may be what is the best approach.</div><div class=""><br class=""></div><div class="">Thank you.</div><div class=""><br class=""></div><div class="">Robert.<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 17 Nov 2017, at 10:24, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" class="">miconda@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
  
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
  
  <div text="#000000" bgcolor="#FFFFFF" class=""><p class="">Hello,</p><p class="">just remembered that a while ago I added support for the config
      file name '-' (dash/minus char) which means kamailio reads the
      config from standard input. This can be used to direct content of
      the kamailio.cfg from a safe system. For example, if one stores
      the config file on a web server, can do:</p><p class="">curl <a class="moz-txt-link-freetext" href="https://myserver.com/kamailio.cfg">https://myserver.com/kamailio.cfg</a> | kamailio -f -</p><p class="">It can be a webserver asking for password.</p><p class="">In the context of keeping it encrypted, there can be a tool that
      fetches and decrypts kamailio.cfg content and prints it to the
      standard output.</p><p class="">Using this, not even kamailio.cfg needs to be saved on the local
      disc.</p><p class="">On the other hand, as I said in a previous response, if an
      untrusted person gets access with root privileges, then it can
      attach to a running kamailio process with gdb and read from
      memory.</p><p class="">Cheers,<br class="">
      Daniel<br class="">
    </p>
    <br class="">
    <div class="moz-cite-prefix">On 17.11.17 08:02, Jurijs Ivolga wrote:<br class="">
    </div>
    <blockquote type="cite" cite="mid:CAOrA2UYP0K_rH4Ma1FkaDJThseJ2F14h3aVgesjSyEwh8eWeCw@mail.gmail.com" class="">
      <div dir="ltr" class="">
        <div class="">
          <div class="">Hi Robert,<br class="">
            <br class="">
          </div>
          I'm not security expert and I'm quite new in docker, but I
          think password in Docker container which will be in clear text
          saved somewhere should not be a problem, as far as you do not
          save this password to image or git and etc...<br class="">
        </div>
        <div class=""><br class="">
        </div>
        <div class="">I think best way for you is to use docker secret and
          generate then config file for Kamailio using this docker
          secrets and then start Kamailio and for all of this you need
          to write some kind of Entrypoint script. Here is example how
          something similar do Homer Sipcapture, they set environment
          variables in docker-compose and then generate config file
          based on this, but you can use probably docker secrets instead
          of environment variables:</div>
        <div class=""><br class="">
        </div>
        <div class=""><a href="https://github.com/sipcapture/homer-docker/tree/master/kamailio" moz-do-not-send="true" class="">https://github.com/sipcapture/homer-docker/tree/master/kamailio</a></div>
        <div class=""><br class="">
        </div>
        <div class="">I found one more interesting link regarding docker secrets:<br class="">
        </div>
        <div class=""><br class="">
        </div>
        <div class=""><a href="https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/" moz-do-not-send="true" class="">https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/</a><br class="">
        </div>
        <div class=""><br class="">
        </div>
        <div class="">With kind regards,<br class="">
        </div>
      </div>
      <div class="gmail_extra"><br clear="all" class="">
        <div class="">
          <div class="gmail_signature" data-smartmail="gmail_signature">
            <div dir="ltr" class="">Jurijs<br class="">
            </div>
          </div>
        </div>
        <br class="">
        <div class="gmail_quote">On Thu, Nov 16, 2017 at 11:58 PM,
          Robert <span dir="ltr" class=""><<a href="mailto:robert@vooey.co.uk" target="_blank" moz-do-not-send="true" class="">robert@vooey.co.uk</a>></span>
          wrote:<br class="">
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">That’d
            presumably leave the clear text footprint I'm trying to
            avoid, albeit in a non-Kamailio file. I’ve made a start on
            an approach to read from a file, Docker secrets are
            basically just files, but the Docker platform handles them
            securely.<br class="">
            <br class="">
            Thanks - Robert...<br class="">
            <span class="im HOEnZb"><br class="">
              > On 16 Nov 2017, at 21:46, Bastian Triller <<a href="mailto:bastian.triller@gmail.com" moz-do-not-send="true" class="">bastian.triller@gmail.com</a>>
              wrote:<br class="">
              ><br class="">
              > isn't using a group in the db URL an option? Generate
              some .cnf in<br class="">
              > /etc/mysql/conf.d (or where MySQL searches its
              configuration in a<br class="">
              > Docker container) from the secret and use the group
              in your db URL in<br class="">
              > kamailio.cfg.<br class="">
              ><br class="">
              > <a href="http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419" rel="noreferrer" target="_blank" moz-do-not-send="true" class="">http://www.kamailio.org/docs/<wbr class="">modules/5.0.x/modules/db_<wbr class="">mysql.html#idp419</a><br class="">
              > 97212<br class="">
              <br class="">
              <br class="">
            </span>
            <div class="HOEnZb">
              <div class="h5">______________________________<wbr class="">_________________<br class="">
                Kamailio (SER) - Users Mailing List<br class="">
                <a href="mailto:sr-users@lists.kamailio.org" moz-do-not-send="true" class="">sr-users@lists.kamailio.org</a><br class="">
                <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank" moz-do-not-send="true" class="">https://lists.kamailio.org/<wbr class="">cgi-bin/mailman/listinfo/sr-<wbr class="">users</a><br class="">
              </div>
            </div>
          </blockquote>
        </div>
        <br class="">
      </div>
      <br class="">
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br class="">
      <pre wrap="" class="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
    </blockquote>
    <br class="">
    <pre class="moz-signature" cols="72">-- 
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com/">www.asipto.com</a>
Kamailio World Conference - May 14-16, 2018 - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com/">www.kamailioworld.com</a></pre>
  </div>

_______________________________________________<br class="">Kamailio (SER) - Users Mailing List<br class=""><a href="mailto:sr-users@lists.kamailio.org" class="">sr-users@lists.kamailio.org</a><br class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users<br class=""></div></blockquote></div><br class=""></div></body></html>