Hello Daniel,
Sincere apologies for the tardy reply! There are lots of challenges I’ll face, but
fortunately I only need to secure the application, it is for others to worry about
preventing platform access etc. (but on the hardened OS, I’d be amazed if gdb was
available ;).
The -f - solution may be what is the best approach.
Thank you.
Robert.
On 17 Nov 2017, at 10:24, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
Hello,
just remembered that a while ago I added support for the config file name '-'
(dash/minus char) which means kamailio reads the config from standard input. This can be
used to direct content of the kamailio.cfg from a safe system. For example, if one stores
the config file on a web server, can do:
curl
https://myserver.com/kamailio.cfg <https://myserver.com/kamailio.cfg> |
kamailio -f -
It can be a webserver asking for password.
In the context of keeping it encrypted, there can be a tool that fetches and decrypts
kamailio.cfg content and prints it to the standard output.
Using this, not even kamailio.cfg needs to be saved on the local disc.
On the other hand, as I said in a previous response, if an untrusted person gets access
with root privileges, then it can attach to a running kamailio process with gdb and read
from memory.
Cheers,
Daniel
On 17.11.17 08:02, Jurijs Ivolga wrote:
Hi Robert,
I'm not security expert and I'm quite new in docker, but I think password in
Docker container which will be in clear text saved somewhere should not be a problem, as
far as you do not save this password to image or git and etc...
I think best way for you is to use docker secret and generate then config file for
Kamailio using this docker secrets and then start Kamailio and for all of this you need to
write some kind of Entrypoint script. Here is example how something similar do Homer
Sipcapture, they set environment variables in docker-compose and then generate config file
based on this, but you can use probably docker secrets instead of environment variables:
https://github.com/sipcapture/homer-docker/tree/master/kamailio
<https://github.com/sipcapture/homer-docker/tree/master/kamailio>
I found one more interesting link regarding docker secrets:
https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/
<https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/>
With kind regards,
Jurijs
On Thu, Nov 16, 2017 at 11:58 PM, Robert <robert(a)vooey.co.uk
<mailto:robert@vooey.co.uk>> wrote:
That’d presumably leave the clear text footprint I'm trying to avoid, albeit in a
non-Kamailio file. I’ve made a start on an approach to read from a file, Docker secrets
are basically just files, but the Docker platform handles them securely.
Thanks - Robert...
On 16 Nov 2017, at 21:46, Bastian Triller
<bastian.triller(a)gmail.com <mailto:bastian.triller@gmail.com>> wrote:
isn't using a group in the db URL an option? Generate some .cnf in
/etc/mysql/conf.d (or where MySQL searches its configuration in a
Docker container) from the secret and use the group in your db URL in
kamailio.cfg.
http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
<http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419>
97212
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
--
Daniel-Constantin Mierla
www.twitter.com/miconda <http://www.twitter.com/miconda> --
www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
Kamailio Advanced Training -
www.asipto.com <http://www.asipto.com/>
Kamailio World Conference - May 14-16, 2018 -
www.kamailioworld.com
<http://www.kamailioworld.com/>_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users