staypirate / secbox Goto Github PK
View Code? Open in Web Editor NEWSecbox is a toolbox that provides an out-of-the-box working setup for your daily work in the SUSE Security Team.
Home Page: https://build.opensuse.org/package/show/security/secbox
Secbox is a toolbox that provides an out-of-the-box working setup for your daily work in the SUSE Security Team.
Home Page: https://build.opensuse.org/package/show/security/secbox
the container won't be able to automatically start after a reboot in openSUSE TW (maybe leap too) because the SSH_AUTH_SOCK
env variable and "${SSH_AUTH_SOCK}:/ssh-agent"
bind mounted socket are defined at container creation time, and won't be the same after an host reboot
Since all the required shares are already mounted in wotan.suse.de
, adding the --sshfs
options could allow having access to all of them without the need to locally mount them via NFS. Moreover, no higher privs will be required anymore :).
Hi,
when I try to compile a package locally using oscb
(default secbox alias for osc build --ccache --cpio-bulk-download --download-api-only
), the build stage fails with
sudo: No such file or directory: 'sudo'
Steps to reproduce:
osc co security:SELinux/selinux-policy
cd security:SELinux/selinux-policy
oscb
secbox
container was unable to access VPN resources because it was created before the VPN was on.
secbox
is using --network host
option at container creation, this (among other capabilities) allows containerized software to share the same resolver of the host system. This permits to containerized tools like osc
to resolve internal domains (like: build.suse.de).
The container maintains its own copy of /etc/resolv.conf
, which is copied from the host at the time of the container creation. If the host was configured to use the SUSE internal resolvers once the container was created, then the container would be able to use them since they will be present in its /etc/resolv.conf
. Instead, if the container is created while the host is not connected to the VPN, it will inherit a not properly configured /etc/resolv.conf
. If the host connect to the VPN only after the container is created, then the host will be able to resolve internal domains since it will be reconfigured to use the internal DNS servers passed via DHCP (and its resolv.conf change), but the copy maintained by the container won't be updated.
secbox
creates a disposable container, hence it can be destroyed and recreated on-demand any time. After the VPN connection is established on the host side, the already existing container can be destroyed via secbox --destroy -f
and the next issued secbox
command will recreate the container, this time with access to the VPN resources.secbox --root
and manually update the /etc/resolv.conf
If I run secbox
twice at the same time with the flag --nfs
(same would happen with --sshfs
#1) after the faster process terminates, secbox then umount the NFS exports leaving the second secbox instance without the needed resources.
Need to add a check before release the resources... check if another secbox instance are using them.
When secbox --destroy
is ran, check if there are any other running instances in the system. If yes, abort destruction with a warning.
It could be helpful some times to initialize or overwrite environmenet variables for that command.
Pretending a --env
option is implemented for that, an example could be:
secbox --env PYTHONPATH=/opt/imtools python3.11 -m imtools.im help
It should also work for appending data, like:
secbox --env PYTHONPATH=$PYTHONPATH:/opt/imtools python3.11 -m imtools.im help
The --env
option could be passed multiple time.
secbox --env PYTHONPATH=$PYTHONPATH:/opt/imtools --env ABC=DEF python3.11 -m imtools.im help
Secbox can be called from a script and if an update is available it will make whatever command you are running interactive.
To better approach all any use-case, it is required to switch from the current interactive update prompt to an INFO message to the stderr which inform the user that an update is available. This change will require a new option --update-container
.
The management of the container is currently not optimized due the fact that the logic is part of the sub-functions.
For instance start_container()
calls create_container()
when it should only start the container.
Lines 534 to 544 in eeb5124
This generates confusion when other functions calls start_container()
and then create_container()
, like in update_image()
:
Lines 586 to 596 in eeb5124
Functions need to be rewritten following the UNIX philosophy (or a KISS approach).
Having the possibility to force an update when a new version is not available will help to get the latest container-image built which might contains updated packages version installed.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.