Skip to content

Add lsof to the user image #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vivian-rook merged 7 commits into from
Dec 1, 2021
Merged

Add lsof to the user image #76

vivian-rook merged 7 commits into from
Dec 1, 2021

Conversation

@yuvipanda
Copy link
Collaborator

@yuvipanda yuvipanda commented May 30, 2021

lsof is helpful in figuring out ports in use, which will become
perhaps increasingly useful thanks to usage of
https://github.com/jupyterhub/jupyter-server-proxy/. There isn't
any extra security exposure here.

Fixes https://phabricator.wikimedia.org/T283984

@yuvipanda
Add lsof to the user image
19e8133 
lsof is helpful in figuring out ports in use, which will become
perhaps increasingly useful thanks to usage of
https://github.com/jupyterhub/jupyter-server-proxy/. There isn't
any extra security exposure here.

Fixes https://phabricator.wikimedia.org/T283984
@crookedstorm
Copy link
Collaborator

crookedstorm commented Jun 28, 2021

Any additional information gathering software is something I presume has security implications in fingerprinting, but I mean lsof doesn't worry me. That said, I have way more concerns about jupyter-server-proxy. We haven't implemented network policies yet on that cluster that prevent this, but my impression here is that the proxy process runs inside the user pod? I feel like I've missed something since my attention has been elsewhere.

I think this PR is fine, and I'll approve it. That said, I want to review the network pathway for some of the new stuff that has been added to make sure it is reasonably secure (not for the pod but for the cluster...if you get your pod or temporary proxy crashed, that's a different matter), and I also want to make sure future network hardening or changes don't remove functionality we want. I'm just commenting that here because I feel like I've been out of the loop on some of the recent things, and the expansion of functionality is quick enough to be concerning to me. If I don't have time to kick it around myself much or attack it for fun, I may hit you up sometime soon to ELI5 it for me @yuvipanda 😄

crookedstorm
crookedstorm previously approved these changes Jun 28, 2021
View reviewed changes
Copy link
Collaborator

@crookedstorm crookedstorm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a fine idea. My comments are kind of tangential to this change.

@yuvipanda
Copy link
Collaborator Author

yuvipanda commented Nov 15, 2021

Happy to chat about jupyter-server-proxy, @crookedstorm! It doesn't add any new network flows to the infrastructure that weren't already possible, just makes it a bit easier.

@vivian-rook vivian-rook mentioned this pull request Nov 22, 2021
Merged
@vivian-rook vivian-rook merged commit a378845 into toolforge:master Dec 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vivian-rook vivian-rook vivian-rook approved these changes

@chicocvenancio chicocvenancio Awaiting requested review from chicocvenancio

+1 more reviewer

@crookedstorm crookedstorm crookedstorm left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yuvipanda @crookedstorm @vivian-rook