Logging driver leaks a key generated by ovpn_getclient when used through "logspout"; a warning #189
Comments
|
the source code includes a "combined-save" option that writes a file, but I don't readily see how to invoke it that way. |
|
The stdout observation would be a good addition to the |
|
Yup, I see a mention of I'll send in a PR for the stdout observation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you generate a key by running a command in a container, and if that container is set up to log data to some central logging system, then it can be possible to set up a situation where private keys leak out through the logs.
The command is ovpn_getclient, which puts data out to standard out:
The logging system I'm using is
gliderlabs/logspout, which is configured to send stdout and stderr for running containers into a central syslog system. Since ovpn_getclient does its thing through stdout, that data is logged through the standard Docker logging driver.The simple fix I can see is to run the command in some way with logging disabled for that run, e.g.
of course that's also substandard because you're really wanting to generate some kind of a log when the client file is generated, but I can confirm that this didn't exit unwanted data to syslog.
The word of warning is that ovpn_getclient might generate some logs somewhere, and it would be good to look carefully to make sure they don't go somewhere unwanted.
The text was updated successfully, but these errors were encountered: