-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logging driver leaks a key generated by ovpn_getclient when used through "logspout"; a warning #189
Comments
the source code includes a "combined-save" option that writes a file, but I don't readily see how to invoke it that way. |
The stdout observation would be a good addition to the |
Yup, I see a mention of I'll send in a PR for the stdout observation. |
If you generate a key by running a command in a container, and if that container is set up to log data to some central logging system, then it can be possible to set up a situation where private keys leak out through the logs.
The command is ovpn_getclient, which puts data out to standard out:
The logging system I'm using is
gliderlabs/logspout
, which is configured to send stdout and stderr for running containers into a central syslog system. Since ovpn_getclient does its thing through stdout, that data is logged through the standard Docker logging driver.The simple fix I can see is to run the command in some way with logging disabled for that run, e.g.
of course that's also substandard because you're really wanting to generate some kind of a log when the client file is generated, but I can confirm that this didn't exit unwanted data to syslog.
The word of warning is that ovpn_getclient might generate some logs somewhere, and it would be good to look carefully to make sure they don't go somewhere unwanted.
The text was updated successfully, but these errors were encountered: