How are security updates inside Docker container handled?

(Gerhard Schlager) #1

I like the fact that Discourse runs inside a Docker container. However, I’m currently not willing to run this on a production system since it’s not clear to me how security updates inside the Docker container will be handled.

On a typical Ubuntu server installation I’ll enable unattended-upgrades to automatically install security updates or at least to notify me about updates (like when I’ve installed nginx from a PPA).

So, how will this work with the Discourse docker image. Will you configure unattended-upgrades to check for security updates and let it notify the admin or even install those updates automatically?
How will you handle updates for 3rd party packages like nginx? Those should be included in those checks (by default they aren’t).
And of course there’s software installed from source as well. How would those get updated if there’s a security vulnerability that needs fixing?

I’ve been looking how others are keeping their docker containers secure. However, it looks like that nobody cares or doesn’t use long running containers. The answer usually is “rebuild your container” .

Obviously that will only work

  • if the Discourse admin gets notified that he needs to update the container
  • and when there actually exists an updated docker image.

Are there any plans to automate security updates inside to container? That would be my preferred option. I couldn’t find anything about that in your spec for version 1.
Or are you planning to provide docker images that are always up-to-date and notify the users (email) when they need to upgrade the docker container?

(Jeff Atwood) #2

Sounds like a sales pitch for hosting to me! :wink:

But seriously, we will notify on container upgrades as well as Discourse upgrades. Details are not quite worked out. Not sure how many container upgrades we will need, versus. Discourse upgrades either.

(Sam Saffron) #3

I don’t know, I need to discuss this with @supermathie, we have cron running so we could add this. However this introduces a big issue as we no longer have versioning consistency which is one huge reason I love docker.

Longer term we plan to offer better messaging about new container versions from /admin/upgrade. For any serious security flaws we rebuild the base image, we did so with heartbleed.

(Michael Brown) #4

Automatic security updates of the container (beyond what is provided by the docker update plugin) seems high-risk low-reward to me.

The vast, vast majority of the attack surface of a Discourse container is all Discourse-specific code: ruby, gems, Discourse itself.

There is also nginx and postgres, updated on image rebuild.

It doesn’t feel to me like you’d get a huge benefit from updating the vendor packages on a regular schedule.

(Gerhard Schlager) #5

I’m fine with rebuilding the Docker image as long as I’ll get notified about security updates.

I don’t care about regular updates unless they stop Discourse from working and that’s something you have to worry about, not me. However, I’m not willing to run software that has known security vulnerabilities. So, as soon as any of the used software needs updating I’d like to get a notification to rebuild the Docker container.

And a feature request (after v1): It would be awesome if I could automate the rebuilding. E.g. a script which installs a cronjob on the host that checks every night for updates and automatically rebuilds the Docker image if needed. That would probably help a lot of small time admins like me. :wink:

(Justin Gordon) #6

I’m a bit confused about how to handle this. I just setup the Digital Ocean Docker droplet, and then I get this message when I login:

1 package can be updated.
1 update is a security update.

Should I manually accept the security updates?

@codinghorror I just found out that an old Wordpress site of mine was infected on FatCow and now FatCow won’t give me shell access and is holding me hostage to buy 1 year of site-lock as manually deleting 5500 infected files on their slow control panel would take forever. You can guess how I’m feeling about FatCow and Wordpress :frowning:. This feels like the “Windows Tech Support” call at 8pm to help me with the infection on my computer!!!

(Jeff Atwood) #7

That isn’t the same scenario, though, because

  1. You don’t pay us for a supported install… do you?

  2. What you have is full SSH access to your own server on Digital Ocean, not a “website”. Nobody can take that away from you.

  3. We do recommend the following:

    • dpkg-reconfigure -plow unattended-upgrades will let Ubuntu auto-install critical security fixes. We set this for all our paid customers. May only work on Ubuntu 14 and later.

    • if you’re paranoid and/or of the “belt and suspenders” school of security, you can set up a firewall. See the howto category here.

(Anders) #8

Are there any updates on this? And how do you recommend doing security patching of discourse?

As an example; assue there is vulnerability in postgres and a patch becomes available in aptitude - I would like to patch this within a few hours. How fast will you produce a new docker image? or, if that is not the way to go, will you notify the comunity some way about there being a patch so that I can rebuild my own container - or should I do nightly rebuilds of my container “just in case”?

As a second example - if there is a security bug in the discourse software itself, I can use the web interface to update the installation. That’s great if I know that there is a new version. Is there any way to get notified (e.g. by email) that there is a new version or patch avaiable?

(Sam Saffron) #9

Within a day or so.

Already automatic, your instance will send you and email on new releases.

(Gerhard Schlager) #10

That’s great. But it would be even better, if those updates of the Docker image could be automated.

(Sam Saffron) #11

we will get there eventually, I am confident of that, it will start as an opt-in thing.