Details
-
Type:
extRequest
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:None
-
Sender Email:
-
HD-Chapter:Cloud
-
HD-Enabler:Docker
Description
Dear FIWARE coach,
we forward you a support request received from a CreatiFI applicant we are
not able to solve.
Please let us know if you need direct contact with the submitter.
Thanks.
*********************************
Hello,
we have a few questions regarding the update of the Linux operating system.
They concern the kernel and packages
of the machines on which we have installed GEs: Ckanm, WMarket, Wirecloud,
WStore, Repository and SEs: Text to Speech
(Flexible and Adaptive Text to Speech)and Social Network (PPNET).
Before the installation of any of the aforementioned applications a
thorough update was made to the Linux machines
with apt-get upgrade or yum update and the GEs and SEs were installed
afterwards according to their requirements.
1. Ckan, WMarket and WStore are installed on Ubuntu 14.04
2. Wirecloud is installed on CentOS7 with Docker.
3. Repository is installed on Ubuntu 14.04 with Docker
4. The Social Network (PPNET) is installed on CentOS7 with Docker.
5. The Text to Speech (Flexible and Adaptive Text to Speech) is installed
on CentOS7 with Docker
Our questions are:
1. Do we have to add some exceptions when updating the operating system
(kernels, packages...) which conflict with the
GE and SE applications after update and result in the loss of functionality
of the apps.
2. What is the recommended security (best practices) about the GEs and SEs
applications installed with Docker?
Thank you for your help.
*********************************
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Mail
priva di virus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-creatifi-coaching@lists.fiware.org) instead of the old one.
_______________________________________________
Fiware-creatifi-coaching mailing list
Fiware-creatifi-coaching@lists.fiware.org
https://lists.fiware.org/listinfo/fiware-creatifi-coaching
[Created via e-mail received from: Andrea Maestrini <amaestrini@create-net.org>]
Issue Links
Activity
| Transition | Time In Source Status | Execution Times | Last Executer | Last Execution Date | |||||
|---|---|---|---|---|---|---|---|---|---|
|
4d 19h 43m | 1 | Manuel Escriche | 20/Jun/16 10:24 AM | |||||
|
10d 1h 6m | 1 | Kenneth Nagin | 30/Jun/16 11:31 AM | |||||
|
5d 1h 54m | 1 | Kenneth Nagin | 05/Jul/16 1:25 PM |
| Fix Version/s | 2021 [ 12600 ] |
| Summary | [Fiware-creatifi-coaching] [creatiFI Italy Hub] Update the Linux operating system on which GE and SE applica ions are installed - Question 2 | FIWARE.Request.Tech.Cloud.Docker.Update the Linux operating system on which GE and SE applica ions are installed - Question 2 |
| HD-Chapter | Unknown [ 10845 ] | Cloud [ 10837 ] |
| HD-Node | Unknown [ 10852 ] |
| Resolution | Done [ 10000 ] | |
| Status | Answered [ 10104 ] | Closed [ 6 ] |
| Status | In Progress [ 3 ] | Answered [ 10104 ] |
Andrea, I've clonned the ticket for question 1 at HELP-6852.
I think Kenneth answered Question 2 already. Please, check it.
Kind regards,
Manuel
I will respond to the second question:
2. What is the recommended security (best practices) about the GEs and SEs
applications installed with Docker?
The best practice for docker is to limit the external ports that you expose to the user as much as possible.
The services listening on the exposed ports are your most vulnerably part of the application. If you have a database to access do not allow the user direct access to the db, rather place an api to filter out requests.
Do not allow ssh, telnet, etc. access to the containers; use attach, log, and exec for debugging.
Likewise, if you control the docker hosts only allow passwordless ssh.
Ken
| Assignee | Manuel Escriche [ mev ] | Kenneth Nagin [ knagin ] |
| Summary | [Fiware-creatifi-coaching] [creatiFI Italy Hub] Update the Linux operating system on which GE and SE applications are installed | [Fiware-creatifi-coaching] [creatiFI Italy Hub] Update the Linux operating system on which GE and SE applica ions are installed - Question 2 |
| Sender Email | amaestrini@create-net.org |
| Assignee | Kenneth Nagin [ knagin ] | Manuel Escriche [ mev ] |
I think question
1. Do we have to add some exceptions when updating the operating system
(kernels, packages...) which conflict with the
GE and SE applications after update and result in the loss of functionality
of the apps.
Can only be answered by GE and SE owners.
Manuel I am passing the problem back to you to reassign to the GE owners
--Ken
I will respond to
2. What is the recommended security (best practices) about the GEs and SEs
applications installed with Docker?
The best practice for docker is to limit the external ports that you expose to the user as much as possible.
The services listening on the exposed ports are your most vulnerably part of the application. If you have a database to access do not allow the user direct access to the db, rather place an api to filter out requests.
Do not allow ssh, telnet, etc. access to the containers; use attach, log, and exec for debugging.
Likewise, if you control the docker hosts only allow passwordless ssh.
Ken
Dear,
given that the majority of the GEs are related to the "Applications/Services and Data Delivery" chapter, could be useful to ask someone expert in this domain
BR
| Assignee | Manuel Escriche [ mev ] | Kenneth Nagin [ knagin ] |
Kenneth, would you try to help with issues related to Docker? Thanks
Dear Silvio, Dear Andrea,
I try to forward the request to the most appropiate person.
Ok, I understand we can't count on node administrators. Then, I have to think of GE owners.
Then, after reading the questions one more time, I'd forward it to Docker GE owner.
Would that be helpful? Or would it be better CKan, or any other GE Owner.
Kind regards,
Manuel
Dear Manuel,
I check with Andrea (He can see the tHELP ticket, but he can not reply on jira).
The applicant doesn't use FIWARE Lab node, but another cloud service. He was asking for some suggestion regarding the update of the Linux operating system on which he has different GEs installed (as described in his ticket).
Can you give him some suggestion, please?
BR
| Status | Open [ 1 ] | In Progress [ 3 ] |
Sorry!, I meant what NODE are you working with?
Dear Andrea,
Would you please let me know what know are you working with in order to put you in contact with the node administrator?
Thanks in advance!
Manuel
| Assignee | Alessandro Portosa [ aportosa ] | Manuel Escriche [ mev ] |
| HD-Enabler | Unknown [ 10910 ] | Docker [ 10868 ] |
| Assignee | Manuel Escriche [ mev ] | Alessandro Portosa [ aportosa ] |
| Assignee | Daniele Santoro [ danieles ] | Manuel Escriche [ mev ] |
| Assignee | Manuel Escriche [ mev ] | Daniele Santoro [ danieles ] |
| Assignee | Manuel Escriche [ mev ] |
| Component/s | FIWARE-TECH-HELP [ 10278 ] | |
| Component/s | FIWARE-LAB-HELP [ 10279 ] |
| Component/s | FIWARE-LAB-HELP [ 10279 ] | |
| Component/s | FIWARE-TECH-HELP [ 10278 ] |
| HD-Enabler | Unknown [ 10910 ] | |
| HD-Chapter | Unknown [ 10845 ] | |
| HD-Node | Unknown [ 10852 ] |
Comment by amaestrini@create-net.org :
Dear Manuel,
thanks for the feedback I have already reply to the applicant about
question 2 some days ago when I saw the Kenneth answer on public HELP.
Thanks for question 2 as well.
BR
Andrea
On Thu, Jun 30, 2016 at 11:31 AM, Help-Desk <jira-help-desk@fi-ware.org>
wrote:
>
>