sshd zombie process

[petrus-v]

On each new connection a process is spawned by sshd even the user is not connected.

I guess the zombie process is hold by the docker entrypoint itself ?!

• We should offer a way to let custom sshd config by adminsys binding /etc/ssh/sshd_config to allow listening sshd only on secure network interface
• We should bind sshd logs somewhere to let adminsys to configure some fail2ban like apps
• We must close zombie processus properly
• We should build this image automatically in order to upgrade software inside

We may want to split those points in different tickets !

[petrus-v]

alias drunc="sudo docker-runc --root /run/docker/plugins/runtime-root/plugins.moby/"
ID                                                                 PID         STATUS      BUNDLE                                                                                                                                              CREATED                         OWNER
d30ed7a4b80dd08518ece46a7bfe30c1b2dd90b26971f88b93e3de591c777475   1182        running     /run/docker/libcontainerd/containerd/io.containerd.runtime.v1.linux/plugins.moby/d30ed7a4b80dd08518ece46a7bfe30c1b2dd90b26971f88b93e3de591c777475   2018-12-08T23:24:05.98669913Z   root
drunc exec d30ed7a4b80dd08518ece46a7bfe30c1b2dd90b26971f88b93e3de591c777475 ps -aux | wc -l
8774

[petrus-v]

short howto after host restart to add stop outside connections:

sudo iptables-save > iptable-save-`date "+%Y-%m-%d"`; cp iptable-save-`date "+%Y-%m-%d"` iptable-fix
edit iptable-fix adding the filter rule:
-A INPUT -i enp1s0f0 -p tcp --destination-port 1122 -j DROP

controle:
mlf@tayt ~ $ diff -C 10 iptable-save-`date "+%Y-%m-%d"` iptable-fix
*** iptable-save-2018-12-10	Mon Dec 10 23:55:17 2018
--- iptable-fix	Mon Dec 10 23:57:36 2018
***************
*** 46,65 ****
--- 46,66 ----
  *filter
  :INPUT ACCEPT [41182:4904764]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [29470:18318889]
  :DOCKER - [0:0]
  :DOCKER-ISOLATION-STAGE-1 - [0:0]
  :DOCKER-ISOLATION-STAGE-2 - [0:0]
  :DOCKER-USER - [0:0]
  :sshguard - [0:0]
  -A INPUT -j sshguard
+ -A INPUT -i enp1s0f0 -p tcp --destination-port 1122 -j DROP
  -A FORWARD -j DOCKER-USER
  -A FORWARD -j DOCKER-ISOLATION-STAGE-1
  -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A FORWARD -o docker0 -j DOCKER
  -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
  -A FORWARD -i docker0 -o docker0 -j ACCEPT
  -A FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A FORWARD -o docker_gwbridge -j DOCKER
  -A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT
  -A FORWARD -o br-ab07140fdde8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

sudo iptables-restore -c < iptable-fix

[ccomb]

Looks like a common problem on containers, that was fixed by adding a --init option to docker run, but probably not fixed for docker plugins?
Anyway I just tested using tini and it solves the problem. I'm releasing a new version now.

[ccomb]

Just released version 3.6 with the fix for zombie processes. Already using it in production on a small server. I checked that incoming ssh connections don't create zombie processes.

[petrus-v]

yes I use dumb-init project in some projects for same raisons with quite same article.

thanks for upgrading, no risk to upgrade while some anybox/buttervolume:latest present on the server ?

[ccomb]

No risk to upgrade, it's OK !

[petrus-v]

ok thanks

[petrus-v]

This one has been fixed.

[petrus-v]

hum, not all point mentioned:

• We should offer a way to let custom sshd config by adminsys binding /etc/ssh/sshd_config to allow listening sshd only on secure network interface
• We should bind sshd logs somewhere to let adminsys to configure some fail2ban like apps
• We must close zombie processus properly
• We should build this image automatically in order to upgrade software inside