Wednesday, May 11, 2016

Pro Tip: Do not remove 'kmod' in Ubuntu LXC Container. It removes '/sbin/init/'

Long story short: Do not remove the package 'kmod' on Ubuntu systems.  Various packages depend on this package, including cron and upstart.  Since upstart provides /sbin/init, the container will fail to start.

I was in the process of trimming down an LXC container and in doing so I noticed the 'kmod' package.  The description makes it seem like the perfect candidate for removal in an LXC container.

justin@deimos:~$ apt-cache show kmod

Description-en: tools for managing Linux kernel modules
 This package contains a set of programs for loading, inserting, and
 removing kernel modules for Linux.
 It replaces module-init-tools.
After removing this package, and the packages cron and upstart.  I then restarted my container... and after it failed to start, I enabled the log feature and found this error:

      lxc-start 1462981210.791 NOTICE   lxc_start - start.c:start:1152 - exec'ing '/sbin/init'      lxc-start 1462981210.791 ERROR    lxc_start - start.c:start:1155 - No such file or directory - failed to exec /sbin/init      lxc-start 1462981210.791 ERROR    lxc_sync - sync.c:__sync_wait:51 - invalid sequence number 1. expected 4      lxc-start 1462981210.791 ERROR    lxc_start - start.c:__lxc_start:1080 - failed to spawn 'lxc_container'

I thought I might have been fighting with previously closed bugs, but it turned out just to be be my own over zealousness in saving a few bytes of disk space. Oops!



Monday, May 9, 2016

Embedding Redmine within an IFrame

In this post I'm going to describe how I used NGINX to remove the X-Frame-Options so that we could embed Redmine inside another webapp.  

Our dev team at Indosoft, Inc had created a set of Work Flow tools to help process tickets in our issue tracking software.  The workflow tools run on one server and they embed the Redmine webapp inside an IFrame. Redmine is running in an LXC container and is proxied by NGINX.  The NGINX container forces all the clients to use a HTTPS connection.  The workflow tool is also using a valid SSL certificate.

The problem is that Redmine, which is written in Ruby, was setting the X-Frame-Options header in the HTTP response to 'X-Frame-Options SAMEORIGIN'.   Since the workflow tools and Redmine had different URL's, the web browsers where refusing to load Redmine in the IFrame.

I knew that I should be able to use NGINX to solve this problem.  It turns out that the 'ALLOW-FROM uri' option should have been able to solve the problem, however it is not and will not be implemented in Chrome.  If you want to read that conversation that the Chrome Dev's had, follow this link:  https://bugs.webkit.org/show_bug.cgi?id=94836

So it seems like the easiest and most straight forward way is to remove the 'X-Frame-Options' is the response header as it passes through NGINX.  NGINX's proxy module gives us the tool we need; using the proxy_hide_header option we can strip any header out of the response from the proxied server before sending it off to the client.

        location / {
                proxy_pass http://x.x.x.x:80/;
                proxy_set_header Host            $host;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_hide_header X-Frame-Options ;
        }
This approach is at best only a partial fix.  This is weakens the security of our embedded webapp as the users could be left vulnerable to clickjacking and XSS exploits. We have a few options to explore if this is unacceptable.  NGINX could be configured to only strip this header when the client IP is on a white list with a bit of system administration overhead but again, that is not ideal.  The proper solution to improve the security of this setup seems to be to implement Content Security Policy (CSP).

In my follow up article to this one,  I'll tackle how to inject the CSP directives into the Response Headers.

Thursday, May 5, 2016

Canadian Cell Tower Map

I stumbled upon a neat mashup that Steven Nikkel put together.   It's neat to see where the cell towers are and which bands they handle.

http://www.ertyu.org/steven_nikkel/cancellsites.html
This is good to know ahead of time when you are travelling through rural and very remote  areas.

What usually happens when I've been out in the woods while ATV'ing, we'll stop and we'll find that we have picked up the odd signal from a tower and a few text messages have come in.  This might not sound like a big deal, but I'm talking about about locations that are so far from the official dead zone that it's pretty cool to find these odd locations that do make contact with a tower.

Next ATV trip I'm going to try figuring out where more sweet spots are in case of emergency.   I'll have to admit, this  may end up being a  fun and geeky hobby.