<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello,</p>
<br>
<div class="moz-cite-prefix">On 30.11.17 21:39, Robert wrote:<br>
</div>
<blockquote type="cite"
cite="mid:93FD47A3-C1F3-4C9C-9FF8-FA0DFCF514F2@vooey.co.uk">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Hello Daniel,
<div class=""><br class="">
</div>
<div class="">Sincere apologies for the tardy reply! There are
lots of challenges I’ll face, but fortunately I only need to
secure the application, it is for others to worry about
preventing platform access etc. (but on the hardened OS, I’d be
amazed if gdb was available ;).</div>
</blockquote>
kamailio is usually started as root to read protected files like
kamailio.cfg as well as create control files/sockets and then
switches to unprivileged user (e.g., kamailio). If one gets the
root, installing gdb or other tools won't be a big deal ...<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<blockquote type="cite"
cite="mid:93FD47A3-C1F3-4C9C-9FF8-FA0DFCF514F2@vooey.co.uk">
<div class=""><br class="">
</div>
<div class="">The -f - solution may be what is the best approach.</div>
<div class=""><br class="">
</div>
<div class="">Thank you.</div>
<div class=""><br class="">
</div>
<div class="">Robert.<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 17 Nov 2017, at 10:24, Daniel-Constantin
Mierla <<a href="mailto:miconda@gmail.com" class=""
moz-do-not-send="true">miconda@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<p class="">Hello,</p>
<p class="">just remembered that a while ago I added
support for the config file name '-' (dash/minus char)
which means kamailio reads the config from standard
input. This can be used to direct content of the
kamailio.cfg from a safe system. For example, if one
stores the config file on a web server, can do:</p>
<p class="">curl <a class="moz-txt-link-freetext"
href="https://myserver.com/kamailio.cfg"
moz-do-not-send="true">https://myserver.com/kamailio.cfg</a>
| kamailio -f -</p>
<p class="">It can be a webserver asking for password.</p>
<p class="">In the context of keeping it encrypted,
there can be a tool that fetches and decrypts
kamailio.cfg content and prints it to the standard
output.</p>
<p class="">Using this, not even kamailio.cfg needs to
be saved on the local disc.</p>
<p class="">On the other hand, as I said in a previous
response, if an untrusted person gets access with root
privileges, then it can attach to a running kamailio
process with gdb and read from memory.</p>
<p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<br class="">
<div class="moz-cite-prefix">On 17.11.17 08:02, Jurijs
Ivolga wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:CAOrA2UYP0K_rH4Ma1FkaDJThseJ2F14h3aVgesjSyEwh8eWeCw@mail.gmail.com"
class="">
<div dir="ltr" class="">
<div class="">
<div class="">Hi Robert,<br class="">
<br class="">
</div>
I'm not security expert and I'm quite new in
docker, but I think password in Docker container
which will be in clear text saved somewhere should
not be a problem, as far as you do not save this
password to image or git and etc...<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">I think best way for you is to use
docker secret and generate then config file for
Kamailio using this docker secrets and then start
Kamailio and for all of this you need to write
some kind of Entrypoint script. Here is example
how something similar do Homer Sipcapture, they
set environment variables in docker-compose and
then generate config file based on this, but you
can use probably docker secrets instead of
environment variables:</div>
<div class=""><br class="">
</div>
<div class=""><a
href="https://github.com/sipcapture/homer-docker/tree/master/kamailio"
moz-do-not-send="true" class="">https://github.com/sipcapture/homer-docker/tree/master/kamailio</a></div>
<div class=""><br class="">
</div>
<div class="">I found one more interesting link
regarding docker secrets:<br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><a
href="https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/"
moz-do-not-send="true" class="">https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/</a><br
class="">
</div>
<div class=""><br class="">
</div>
<div class="">With kind regards,<br class="">
</div>
</div>
<div class="gmail_extra"><br class="" clear="all">
<div class="">
<div class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr" class="">Jurijs<br class="">
</div>
</div>
</div>
<br class="">
<div class="gmail_quote">On Thu, Nov 16, 2017 at
11:58 PM, Robert <span dir="ltr" class=""><<a
href="mailto:robert@vooey.co.uk"
target="_blank" moz-do-not-send="true"
class="">robert@vooey.co.uk</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">That’d presumably leave
the clear text footprint I'm trying to avoid,
albeit in a non-Kamailio file. I’ve made a start
on an approach to read from a file, Docker
secrets are basically just files, but the Docker
platform handles them securely.<br class="">
<br class="">
Thanks - Robert...<br class="">
<span class="im HOEnZb"><br class="">
> On 16 Nov 2017, at 21:46, Bastian Triller
<<a href="mailto:bastian.triller@gmail.com"
moz-do-not-send="true" class="">bastian.triller@gmail.com</a>>
wrote:<br class="">
><br class="">
> isn't using a group in the db URL an
option? Generate some .cnf in<br class="">
> /etc/mysql/conf.d (or where MySQL
searches its configuration in a<br class="">
> Docker container) from the secret and use
the group in your db URL in<br class="">
> kamailio.cfg.<br class="">
><br class="">
> <a
href="http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="">http://www.kamailio.org/docs/<wbr
class="">modules/5.0.x/modules/db_<wbr
class="">mysql.html#idp419</a><br class="">
> 97212<br class="">
<br class="">
<br class="">
</span>
<div class="HOEnZb">
<div class="h5">______________________________<wbr
class="">_________________<br class="">
Kamailio (SER) - Users Mailing List<br
class="">
<a href="mailto:sr-users@lists.kamailio.org"
moz-do-not-send="true" class="">sr-users@lists.kamailio.org</a><br
class="">
<a
href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="">https://lists.kamailio.org/<wbr
class="">cgi-bin/mailman/listinfo/sr-<wbr
class="">users</a><br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org" moz-do-not-send="true">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" moz-do-not-send="true">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com/" moz-do-not-send="true">www.asipto.com</a>
Kamailio World Conference - May 14-16, 2018 - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com/" moz-do-not-send="true">www.kamailioworld.com</a></pre>
</div>
_______________________________________________<br
class="">
Kamailio (SER) - Users Mailing List<br class="">
<a href="mailto:sr-users@lists.kamailio.org" class=""
moz-do-not-send="true">sr-users@lists.kamailio.org</a><br
class="">
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
Kamailio World Conference - May 14-16, 2018 - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>