Changing to docker and receiving Illegal mix of collations (latin1_danish_ci,IMPLICIT) and (latin1_swedish_ci,IMPLICIT) for operation ‘=’ error

I am atempting to change our application from a server to a docker on a virtual machine. We are using mysql for data, and tomcat (spring) for the gui. It seems to work well in the docker, execpt for when a stored procedure is called. It gives the error message:

Request processing failed; nested exception is java.lang.RuntimeException: java.sql.SQLException: Illegal mix of collations (latin1_danish_ci,IMPLICIT) and (latin1_swedish_ci,IMPLICIT) for operation '=' 

This error message does not occure when the application is run on the server (not the docker version), so I am asuming there is some configuration that I have not been able to transfere from the original application to the docker based application. Since it works with the same data on the server, I don’t think it should be nessesary to change the tables or the procedure.

The docker creates a mysql:5 container and a tomcat:8 contaner and they comunicate thru a docker network. The GUI connects with the database with this line:

jdbc.url=jdbc:mysql://localhost:3306/pdb?useUnicode=true&characterEncoding=iso-8859-1&noAccessToProcedureBodies=true 

I have only changed ‘localhost’ to ‘db’, as tomcat and mysql are on sepperate containers on the docker version. I have tried a few variations of characterEncoding, like latin2, but with no luck.

I have been loking at the config files in /etc/mysql/ but I haven’t found anything that seems relevant.

Does anyone know what settings I have been missing, or what more I can do to futher narriate the problem. I am new in this line of work, and is learning myself bouth docker and mysql while working on this transfer.

start proxy server on docker containers for http request from host

I have a docker container connected to a VPN, but sometimes i need to open a URL on browser for debug.

I cannot run the VPN on my host machine for security reasons, specifically i want to open the URL in my host machine and intercept request with BURP Suite, i already tried some “python proxy servers” from github to start a proxy on my docker machine and connect my host to it, without success.

Someone did something similar?. any ideas?

PD. sorry for my english. 🙂

I’m seeing strange names in my list of docker containers, is someone having fun at docker or is that from hackers?

I’m trying to run a docker and it fails for various reasons. As I check my list of dockers (docker ps -a), I see those names:

pedantic_gauss recursing_feynman adoring_brattain suspicious_tesla gallant_gates competent_gates elated_davinci ecstatic_mahavira focused_mirzakhani 

I use docker-compose and I’m sure we do not have such names in our setup files. Is that just something docker people thought would be fun to do?! I searched on some of those names and could not really find anything useful, although it looks like these appear on many sites, somewhat sporadically.

Is accessing /proc/ inside docker container a security breach?

In a docker container I am reading the files /proc/stat and /proc/meminfo. As I understand they are the ones of the host. (Not local to the docker container) In a meeting, a co-worker said that this is a security breach and must be vetted by internal security consultants. The container does neither run privileged, nor as root. My program inside the container does neither.

Question 1: is he right in saying, that this is a security breach? Question 2: What if I bind-mounted the host’s /proc directory to some folder of the container. Would that then be a security breach?

Secure elasticsearch in Docker

How can I secure elasticsearch for production use in Docker?

I use this docker-compose.yml:

version: '2' services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:5.6.16 container_name: elasticsearch restart: unless-stopped environment: - "network.host=0.0.0.0" - "http.port=9200" - "cluster.name=elasticsearch" - "node.name=db-master" - "node.master=true" - "node.data=true" - "bootstrap.memory_lock=true" - "ES_JAVA_OPTS=-Xms6g -Xmx6g" - xpack.security.enabled=false ulimits: memlock: soft: -1 hard: -1 mem_limit: 12g volumes: - esdata:/usr/share/elasticsearch/data ports: - 127.0.0.1:9200:9200 networks: - esnet volumes: esdata: driver: local networks: esnet: 

I want elasticsearch to be accessible only on localhost network (only local apps should access it), so it shouldn’t be accessible from internet. I use bind to localhost - 127.0.0.1:9200:9200, but I don’t know if it is enough.

getting error while installing docker: “docker-ce : Depends: containerd.io (>= 1.2.2-3) but it is not going to be installed “

i am trying to install docker on my ubuntu 18.04, but i am getting this error while installing docker. The error says: The following packages have unmet dependencies: docker-ce : Depends: containerd.io (>= 1.2.2-3) but it is not going to be installed, E: Unable to correct problems, you have held broken packages.

Can an intruder use a Docker Desktop installation to run keyboard or other capture (audio/video, network) on a Windows 10 system?

I’m not looking for a howto for an exploit.

“lostvicking” in a Docker forums post seems to be trying to mount their webcam device into a docker container but does not succeed:

Is it possible to forward webcam video to a docker image from Windows 10? I’ve seen the same question asked for Linux and the solution seems to be to use:

docker run –privileged -v /dev/video0:/dev/video0

Is there a similar trick when I’m running Docker in Windows 10? Presumably there is no equivalent mount point that can be bound?

This made me wonder if Docker Desktop could facilitate installation of keyboard capture, or other capture (audiovideo, network), either by an adversarial user with physical access to a shared machine (college computer lab; internet cafe) or an online intruder. Or are windows usb devices not sharable with docker containers via Docker Desktop?

Is this possible?

Is there an obvious countermeasure, besides uninstalling Docker Desktop?

Obviously, someone with physical access to a windows machine can instead install native windows malware. This question involves whether Docker Desktop adds an additional, less monitored vector.

systemd ignores docker configuration file at /etc/docker/daemon.json

Docker service will not use /etc/docker/daemon.json configuration during startup.

user@host:~$   cat  /etc/docker/daemon.json {   "exec-opts": ["native.cgroupdriver=systemd"],   "log-driver": "json-file",   "log-opts": {     "max-size": "100m"   },   "storage-driver": "overlay2" } 

I have to use systemctl daemon-reload and systemctl restart docker after every reboot, then the docker service will use daemon.json file to override default settings.

Is there a way to make this persistent ?

Is storing a JWT secret as docker env variable acceptable?

I understand how JWTs work and that with my secret anyone can issue new tokens. I control the server that my node website runs on and am considering different options for hosting the key.

  1. In code – Not acceptable because my code is in a github repo
  2. ENV variable – seperate secrets for dev and production while not leaking to github
  3. Store in database – Seems more like #2 with more work, being that an on-machine attacker can find access to the db anyways

2 looks like the best method for a simple website (no super sensitive user info like credit cards or SSNs). Is this a good solution?