david0
Repos
23
Followers
7
Following
4

Events

bump ardour to v6.9

Created at 1 week ago
pull request closed
bump ardour to v6.9

Bumps ardour to the newest 6.x version

Created at 1 week ago
--recovery-unseal without --recovery-private-key broken

Well, maybe its more of a feature wish than a bug. But my expectation would be that --recovery-unseal would work without --recovery-private-key too, by quering the key from the cluster automatically.

The way it is implemented now is really not intuitive since its not doing what would be expected (at least by some) and not complaining that its an invalid combination of arguments.

Created at 1 month ago
Running with GID != 0 fails

Thanks for your reply.

I would have agreed, but I asked internally and the GID != 0 requirement is coming from the NSA Hardening Guide For Kuberenetes, PDF Page 55 While I see that it contains zero reasoning for this suggestion, I'm not in the position to question that...

Created at 1 month ago
david0 create branch main
Created at 1 month ago
create repository
david0 create repository
Created at 1 month ago
--recovery-unseal without --recovery-private-key broken

Which component: kubeseal

Describe the bug Its not possible to decrypt a key using --recovery-unseal online, without specifying --recovery-private-key

To Reproduce Steps to reproduce the behavior:

  1. create secret
  2. seal
  3. try --recovery-unseal without --recovery-private-key
  4. see error
$ kubectl create secret generic secret-name --dry-run=client --from-literal=foo=bar -o yaml > mysecret.yaml
$ cat mysealedsecret.yaml | kubeseal \
                    --controller-name=my-release-sealed-secrets \
                    --controller-namespace=default \
                    --format yaml --recovery-unseal
error: no key could decrypt secret (foo)

Expected behavior Unsealed secret yaml should be shown

Version of Kubernetes:

  • Output of kubectl version:
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:14:10Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"darwin/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:15:38Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}

Additional context Add any other context about the problem here.

Created at 1 month ago
offline decrypt raw string

Afaik this issue is about raw strings, while the FAQ is about YAML/JSON files.

--raw with --recovery-unseal does not seem to work:

echo "aaa" |kubeseal --namespace my --controller-namespace my --raw --scope namespace-wide --recovery-unseal
error: couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" }
Created at 1 month ago
create tag
david0 create tag v0.8
Created at 1 month ago
opened issue
Support -V to query version

There should be a way to figure out the version.

E.g. as in ldapsearch -V:

ldapbrowse -V

Created at 1 month ago
issue comment
Support cgroupns option in containers.run/containers.create

@milas Thanks a lot! 🎉

Created at 1 month ago
opened issue
G# is missing

A sharp look on your site told me that :-)

Created at 2 months ago

Bump paramiko from 2.8.0 to 2.10.1

Bumps paramiko from 2.8.0 to 2.10.1.


updated-dependencies:

  • dependency-name: paramiko dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #2974 from docker/dependabot/pip/paramiko-2.10.1

Bump paramiko from 2.8.0 to 2.10.1

deps: upgrade pywin32 & relax version constraint (#3004)

Upgrade to latest pywin32, which has support for Python 3.10 and resolves a CVE (related to ACL APIs, outside the scope of what docker-py relies on, which is npipe support, but still gets flagged by scanners).

The version constraint has also been relaxed in setup.py to allow newer versions of pywin32. This is similar to how we handle the other packages there, and should be safe from a compatibility perspective.

Fixes #2902. Closes #2972 and closes #2980.

Signed-off-by: Milas Bowman milas.bowman@docker.com

ci: remove Python 3.6 and add 3.11 pre-releases (#3005)

  • Python 3.6 went EOL Dec 2021
  • Python 3.11 is in beta and due for GA release in October 2022

Signed-off-by: Milas Bowman milas.bowman@docker.com

utils: fix IPv6 address w/ port parsing (#3006)

This was using a deprecated function (urllib.splitnport), ostensibly to work around issues with brackets on IPv6 addresses.

Ironically, its usage was broken, and would result in mangled IPv6 addresses if they had a port specified in some instances.

Usage of the deprecated function has been eliminated and extra test cases added where missing. All existing cases pass as-is. (The only other change to the test was to improve assertion messages.)

Signed-off-by: Milas Bowman milas.bowman@docker.com

test: fix for cgroupv2 (#2940)

This test was verifying that the container has the right options set (through docker inspect), but also checks if the cgroup-rules are set within the container by reading /sys/fs/cgroup/devices/devices.list

Unlike cgroups v1, on cgroups v2, there is no file interface, and rules are handled through ebpf, which means that the test will fail because this file is not present.

From the Linux documentation for cgroups v2: https://github.com/torvalds/linux/blob/v5.16/Documentation/admin-guide/cgroup-v2.rst#device-controller

(...) Device controller manages access to device files. It includes both creation of new device files (using mknod), and access to the existing device files.

Cgroup v2 device controller has no interface files and is implemented on top of cgroup BPF. To control access to device files, a user may create bpf programs of type BPF_PROG_TYPE_CGROUP_DEVICE and attach them to cgroups with BPF_CGROUP_DEVICE flag. (...)

Given that setting the right cgroups is not really a responsibility of this SDK, it should be sufficient to verify that the right options were set in the container configuration, so this patch is removing the part that checks the cgroup, to allow this test to be run on a host with cgroups v2 enabled.

Signed-off-by: Sebastiaan van Stijn github@gone.nl

test: fix flaky container log test

Ensure the container has exited before attempting to grab the logs.

Since we are not streaming them, it's possible to attach + grab logs before the output is processed, resulting in a test failure. If the container has exited, it's guaranteed to have logged :)

Signed-off-by: Milas Bowman milas.bowman@docker.com

test: mark invalid test as xfail

This test looks for some behavior on non-chunked HTTP requests.

It now fails because it looks like recent versions of Docker Engine ALWAYS return chunked responses (or perhaps this specific response changed somehow to now trigger chunking whereas it did not previously).

The actual logic it's trying to test is also unusual because it's trying to hackily propagate errors under the assumption that it'd get a non-chunked response on failure, which is...not reliable. Arguably, the chunked reader should be refactored somehow but that's a refactor we can't really commit to (and it's evidently been ok enough as is up until now).

Signed-off-by: Milas Bowman milas.bowman@docker.com

ci: add flake8 job

Project is already configured for flake8 but it never gets run in CI.

Signed-off-by: Milas Bowman milas.bowman@docker.com

lint: fix outstanding flake8 violations

Since flake8 wasn't actually being run in CI, we'd accumulated some violations.

Signed-off-by: Milas Bowman milas.bowman@docker.com

client: fix exception semantics in _raise_for_status (#2954)

We want "The above exception was the direct cause of the following exception:" instead of "During handling of the above exception, another exception occurred:"

Signed-off-by: Maor Kleinberger kmaork@gmail.com

tls: use auto-negotiated highest version (#3007)

Specific TLS versions are deprecated in latest Python, which causes test failures due to treating deprecation errors as warnings.

Luckily, the fix here is straightforward: we can eliminate some custom version selection logic by using PROTOCOL_TLS_CLIENT, which is the recommended method and will select the highest TLS version supported by both client and server.

Signed-off-by: Milas Bowman milas.bowman@docker.com

transport: fix ProxyCommand for SSH conn (#2993)

Signed-off-by: Guy Lichtman glicht@users.noreply.github.com

deps: use packaging instead of deprecated distutils (#2931)

Replace distutils.Version (deprecated) with packaging.Version

Signed-off-by: Francesco Casalegno francesco.casalegno@gmail.com

Merge pull request #3008 from milas/flaky-tests

test: fix a couple flaky/broken tests

Merge pull request #3009 from milas/lint-flake8

ci: add flake8 job

ci: run integration tests & fix race condition (#2947)

  • Fix integration tests race condition
  • Run integration tests on CI
  • Use existing DIND version

Signed-off-by: Leonard Kinday leonard@kinday.ru

Co-authored-by: Milas Bowman milas.bowman@docker.com

deps: test on Python 3.10 by default (#3010)

  • Upgrade to latest Sphinx / recommonmark
  • Small CSS fix for issue in new version of Alabaster theme
  • Fix Makefile target for macOS

Signed-off-by: Milas Bowman milas.bowman@docker.com

deps: remove backports.ssl_match_hostname (#3011)

This is no longer needed as it exists in every supported (non-EOL) version of Python that we target.

Signed-off-by: Milas Bowman milas.bowman@docker.com

ssh: do not create unnecessary subshell on exec (#2910)

Signed-off-by: liubo liubo@uniontech.com

Created at 2 months ago
issue comment
Support cgroupns option in containers.run/containers.create

We are blocked by this too. Unfortunately the docker-py seems to be dead-ish atm. The commits on master give some hope...

Created at 2 months ago
started
Created at 2 months ago
MQ Client configuration for SSL with Spring Boot - Provision to provide keystore and trustore

I would also prefer a dedicated configuration option for that, because I'd like to separate the keys/certificate chain used for MQ from the chain used for the rest...

Created at 2 months ago
Document details on how to install MQ client

Maybe, unfortunately this project does not have a public bug tracker. The easiest (at least for me) would be if IBM-MQC-Redist would be bundled with pymqi.

Until then, I think IBM should provide at least a few lines of documentation somewhere on how to install the MQ client...

Created at 2 months ago
Document details on how to install MQ client

Hi,

I tried to use pymqi to connect to a MQ and lost a lot of time figuring out how to install the required MQ client.

Maybe this should be documented better/a link to that should be provided?!

Anyway, here is what I am using now:

FROM python:3

# only /opt/mqm will work.
RUN mkdir -p /opt/mqm 
RUN curl 'https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqdev/redist/9.3.0.0-IBM-MQC-Redist-LinuxX64.tar.gz' -o - | tar xz  -C /opt/mqm
# fixes pymqi loading 32bit libraries
ENV LD_LIBRARY_PATH=/opt/mqm/lib64:$LD_LIBRARY_PATH  
RUN pip3 install pymqi==1.12.8

The best solution would obviously be to bundle the client with pymqi (same applies for nodejs, ruby etc).

Created at 2 months ago
Running with GID != 0 fails

Due to (another) seq requirement we are not allowed to run with GID 0 in k8s.

Is there any way to do that?

I get the following error:

docker run --rm -ti -u 1001:100 -e LICENSE=accept ibmcom/mq
....
2022-07-01T11:58:46.367Z Image created: 2021-11-12T16:26:21+00:00
2022-07-01T11:58:46.367Z Image tag: ibm-mqadvanced-server-dev:9.2.4.0-r1.20211112161954.1f6d37a-amd64
2022-07-01T11:58:46.422Z MQ version: 9.2.4.0
2022-07-01T11:58:46.422Z MQ level: p924-L211105.DE
2022-07-01T11:58:46.422Z MQ license: Developer
2022-07-01T11:58:49.033Z Creating queue manager 4a59c78782b2
2022-07-01T11:58:49.033Z Starting web server
MQSeries: FFST record created in /mnt/mqm/data/errors/AMQ60.0.FDC
MQSeries: FFST record created in /mnt/mqm/data/errors/AMQ60.0.FDC
MQSeries: FFST record created in /mnt/mqm/data/errors/AMQ60.0.FDC
2022-07-01T11:58:49.138Z Error 71 creating queue manager: Permission denied attempting to access an INI file.

2022-07-01T11:58:49.139Z /opt/mqm/bin/crtmqm: exit status 71


                                    
Created at 2 months ago
Simplify/improve running with read-only rootfs

We have a company-wide sec. requirement to run containers in k8s with a read only fs (We run it there for dev purposes only).

We have been able to implement that by building an own image that moves /etc/mqm/ to /config/mqm and then mounts a tmpdir to /etc/mqm at runtime and copying back from `/config.

Also a lot of mounts have been found out by trail&error:

docker run --user 1001:0 --read-only --tmpfs /etc/mqm/ --tmpfs /run/runmqserver --tmpfs /run/runmqserver/tls/ --tmpfs /tmp \
-vdata:/mnt/ -e LICENSE=accept 
ibmmq/mq

I would suggest to make running with r/o rootfs simpler. For example it would be easier if input files (.tpl) would be stored in /usr/share, so that runmqdevserver would start with an empty /etc/mqm.

Also maybe the documentation should be improved by specifying which folders have to be read-only and/or improving the error messages by showing which file is problematic.

Created at 2 months ago
issue comment
Add unmaintained notice

Any news? It really is a pity that this great package seems to be dead-ish atm.

Created at 2 months ago