Category Archives: Security

Howto: Delete old Docker containers

I’ve been working quite a bit lately on a secure deletion tool for Docker containers. Here are a few notes on basic delete methods, without security, which hints at the problem.

  • List all current containers
  • $ docker ps -a

    CONTAINER ID  IMAGE        COMMAND   CREATED             STATUS                        PORTS  NAMES
    e72211164489  hello-world  "/hello"  About a minute ago  Exited (0) About a minute ago        ecstatic_goodall
    927e4ab62b82  hello-world  "/hello"  About a minute ago  Exited (0) About a minute ago        naughty_pasteur       
    d71ff26dbb90  hello-world  "/hello"  4 minutes ago       Exited (0) 4 minutes ago             hungry_wozniak        
    840279db0bd7  hello-world  "/hello"  5 minutes ago       Exited (0) 5 minutes ago             lonely_pare           
    49f6003093eb  hello-world  "/hello"  25 hours ago        Exited (0) 25 hours ago              suspicious_poincare   
    6861afbbab6d  hello-world  "/hello"  27 hours ago        Exited (0) 26 hours ago              high_carson           
    2b29b6d5a09c  hello-world  "/hello"  3 weeks ago         Exited (0) 3 weeks ago               serene_elion          
    
  • List just containers weeks old
  • $ docker ps -a | grep “weeks”

    CONTAINER ID  IMAGE        COMMAND   CREATED             STATUS                        PORTS  NAMES
    2b29b6d5a09c  hello-world  "/hello"  3 weeks ago         Exited (0) 3 weeks ago               serene_elion          
    
  • List all containers by ID
  • $ docker ps -a | grep ‘ago’ | awk ‘{print $1}’

    e72211164489  
    927e4ab62b82         
    d71ff26dbb90          
    840279db0bd7          
    49f6003093eb    
    6861afbbab6d         
    2b29b6d5a09c          
    
  • List all containers by ID, joined to one line
  • $ docker ps -a | grep ‘ago’ | awk ‘{print $1}’ | xargs

    e72211164489 927e4ab62b82 d71ff26dbb90 840279db0bd7 49f6003093eb 6861afbbab6d 2b29b6d5a09c          
    
  • List ‘hours’ old containers by ID, joined to one line, and if found prompt to delete them
  • $ docker ps -a | grep ‘hours’ | awk ‘{print $1}’ | xargs -r -p docker rm

    docker rm 49f6003093eb 6861afbbab6d ?...
    

    Press y to delete, n to cancel

This Day in History: Antoine de Saint-Exupéry Disappears

On July 31 in 1944 Antoine de Saint-Exupéry flew a Lockheed Lightning P-38 on a morning reconnaissance mission, despite being injured and nearly ten years over the pilot age limit. It was the last day he was seen alive. A bracelet bearing his name was later found by a fisherman offshore between Marseille and Cassis, which led to discovery of the wreckage of his plane.

Saint-Exupéry was an unfortunate pilot with many dangerous flying accidents over his career. One in particular was during a raid, an attempt to set a speed record from Paris to Hanoï, Indochine and back to Paris. Winning would have meant 150K Francs. Instead Saint-Exupéry crashed in the Sahara desert.

Besides being a pilot of adventure he also was an avid writer and had studied drawing in a Paris art school. In 1942 he wrote The Little Prince, which has been translated into more than 250 languages and is one of the most well-known books in the world. Saint-Exupéry never received any of its royalties.

It brings to mind the rash of people now posting videos and asking their fans to pay to view/support their adventures.

Imagine if Saint-Exupéry had taken a video selfie of his crash and survival in the Sahara desert and posted it straight to a sharing site, asking for funds…instead of writing a literary work of genius and seeing none of its success.

Convert Kali Linux VMDK to KVM

I was fiddling around in Ubuntu 14.04 with Docker and noticed a Kali Linux container installation was just four steps:

$ wget -qO- https://get.docker.com/ | sh
$ docker pull kalilinux/kali-linux-docker
$ docker run -t -i kalilinux/kali-linux-docker /bin/bash
# apt-get update && apt-get install metasploit

This made me curious about comparing to the VM steps. Unfortunately they still only offer a VMDK version to play with. And this made me curious about how quickly I could convert to KVM.

On my first attempt I did the setup and conversion in eight (nine if you count cleanup):

  1. Install KVM
  2. $ sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils virt-goodies p7zipfull

  3. Download kali vmdk zip file
  4. $ wget https://images.kali.org/Kali-Linux-1.1.0c-vm-amd64.7z

    (Optional) Verify checksum is 1d7e835355a22e6ebdd7100fc033d6664a8981e0

    $ sha1sum Kali-Linux-1.1.0c-vm-amd64.7z

  5. Extract zip file
  6. $ 7z x Kali-Linux-1.1.0c-vm-amd64.7z
    $ cd Kali-Linux-1.1.0c-vm-amd64
    $ ll

    -rw------- 1 user user 3540451328 Mar 13 03:50 Kali-Linux-1.1.0c-vm-amd64-s001.vmdk
    -rw------- 1 user user 1016725504 Mar 13 03:50 Kali-Linux-1.1.0c-vm-amd64-s002.vmdk
    -rw------- 1 user user 1261895680 Mar 13 03:50 Kali-Linux-1.1.0c-vm-amd64-s003.vmdk
    -rw------- 1 user user 1094582272 Mar 13 03:50 Kali-Linux-1.1.0c-vm-amd64-s004.vmdk
    -rw------- 1 user user  637468672 Mar 13 03:50 Kali-Linux-1.1.0c-vm-amd64-s005.vmdk
    -rw------- 1 user user  779747328 Mar 13 03:50 Kali-Linux-1.1.0c-vm-amd64-s006.vmdk
    -rw------- 1 user user 1380450304 Mar 13 03:50 Kali-Linux-1.1.0c-vm-amd64-s007.vmdk
    -rw------- 1 user user    1376256 Mar 13 03:50 Kali-Linux-1.1.0c-vm-amd64-s008.vmdk
    -rw------- 1 root root        929 Mar 13 02:56 Kali-Linux-1.1.0c-vm-amd64.vmdk
    -rw-r--r-- 1 user user          0 Mar 13 05:11 Kali-Linux-1.1.0c-vm-amd64.vmsd
    -rwxr-xr-x 1 root root       2770 Mar 13 05:11 Kali-Linux-1.1.0c-vm-amd64.vmx*
    -rw-r--r-- 1 user user        281 Mar 13 05:11 Kali-Linux-1.1.0c-vm-amd64.vmxf
    
  7. Convert ‘vmdk’ to ‘qcow2’
  8. $ qemu-img convert -f vmdk -O qcow2 Kali-Linux-1.1.0c-vm-amd64.vmdk qcow2 Kali-Linux-1.1.0c-vm-amd64.qcow2

  9. Change ownership
  10. $ sudo chown username:group Kali-Linux-1.1.0c-vm-amd64.qcow2

  11. Convert ‘vmx’ to ‘xml’
  12. $ vmware2libvirt -f Kali-Linux-1.1.0c-vm-amd64.vmx > Kali-Linux-1.1.0c-vm-amd64.xml

    (Note this utility was installed by virt-goodies. An alternative is to download just vmware2libvirt and run as “python vmware2libvirt -f Kali-Linux-1.1.0c-vm-amd64.vmx > Kali-Linux-1.1.0c-vm-amd64.xml”)

    (Optional) Create some uniqueness by replacing default values (e.g. mac address 00:0C:29:4B:9C:DF) in the xml file

    uuid
    $ uuidgen

    mac address
    $ echo 00:0C:$(dd if=/dev/urandom count=1 2>/dev/null | md5sum | sed ‘s/^\(..\)\(..\)\(..\)\(..\).*$/\1:\2:\3:\4/’)

    $ vi Kali-Linux-1.1.0c-vm-amd64.xml

  13. Create VM
  14. $ sudo ln -s /usr/bin/qemu-system-x86_64 /usr/bin/kvm
    $ virsh -c qemu:///system define Kali-Linux-1.1.0c-vm-amd64.xml

  15. Edit VM configuration to link new qcow2 file
  16. Find this section

    driver name='qemu' type='raw'
    source file='/path/Kali-Linux-1.1.0c-vm-amd64.vmdk'

    Change raw and vmdk to qcow2

    driver name='qemu' type='qcow2'
    source file='/path/Kali-Linux-1.1.0c-vm-amd64.qcow2'

  17. Start the VM
  18. $ virsh start Kali-Linux-1.1.0c-vm-amd64

  19. Delete vmdk
  20. $ rm *.v*

Howto: Install GPG on Jolla Sailfish OS

A Finnish start-up, Jolla, announced at the end of 2013 that it was producing a free and open source Sailfish OS, with an open hardware smart phone.

Here is a quick three-step guide to getting GPG installed.

STEP 1) install pinentry

You have three options:

  1. compile from source
  2. install pinentry-0.8.3-1.armv7hl.rpm
  3. use warehouse app to search for “pinentry” in OpenRepos, add “veskuh” repository and install gnupg-pinentry

STEP 2) open the terminal and install the GnuPG software

[nemo@Jolla ~]$ pkcon install gnupg2

Currently this installs version 2.0.4 with a home of ~/.gnupg

Supported algorithms:

    Pubkey: RSA, ELG, DSA
    Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
    Hash: MD5, SHA1, RIPEMD160, TIGER192, SHA256, SHA384, SHA512, SHA224
    Compression: ZIP, ZLIB, BZIP2

STEP 3) use the terminal to create a key

[nemo@Jolla ~]$ gpg2 –gen-key

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? [Enter]
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) [Enter]
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) [Enter]
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the 
user ID from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "
Real name: Davi Ottenheimer
Email address: davi@flyingpenguin.com
Comment:[Enter]
You selected this USER-ID:
    "Davi Ottenheimer davi@flyingpenguin.com"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Enter passphrase                            x
x                                             x
x                                             x
x Passphrase _***********_____________________x
x                                             x
x       OK           Cancel                   x
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: key XXXXXXXX marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/XXXXXXXX 2015-07-29
Key fingerprint = XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
uid Davi Ottenheimer davi@flyingpenguin.com
sub 2048g/YYYYYYYY 2015-07-29

STEP 3.5) verify key

[nemo@Jolla ~]$ gpg2 -k

/home/nemo/.gnupg/pubring.gpg
-----------------------------
pub 1024D/XXXXXXXX 2015-07-29
uid Davi Ottenheimer davi@flyingpenguin.com
sub 2048g/YYYYYYYY 2015-07-29

NOTE: you may want to move and keep your secret key on a removable storage card