Infer Docker Registry Hashes for Local Image Layers


In recent weeks I spent some time working on security analysis of Docker container images in an environment that used multiple container registries. The goal of the project was to ensure that application images are built against known-good / certified base images. There was an unforseen factor that complicated this work- the organizationally approved base images reside in an old Quay Enterprise 2.9.x server that does not support the latest Docker registry API (Image Manifest Version 2, Schema 2) which prohibited a simple check of image layer hashes as the hashes are calculated differently and don't match up.

To get around this I crafted a solution that calculates the 'new' hash for each layer of approved base images and used the calculated layers to compare against application images. If you want to jump to the code, see this repo: InferDockerRegistryHash. For more details, read on below


Ad-hoc repairs to a failed gitlab-ce upgrade (12.8 -> 13.0.8)


While attempting to upgrade a dockerized instance of giblab-ce I found a number of error messages like this that caused the upgrade to fail and a rollback to the previous version to fail:

7/6/2020 11:07:37 AMRunning handlers:
7/6/2020 11:07:37 AMThere was an error running gitlab-ctl reconfigure:
7/6/2020 11:07:37 AM
7/6/2020 11:07:37 AMrunit_service[redis] (redis::enable line 66) had an error: Errno::ENOENT: template[/var/log/gitlab/redis/config] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/runit/libraries/provider_runit_service.rb line 136) had an error: Errno::ENOENT: No such file or directory @ realpath_rec - /opt/gitlab/sv/redis/log/config

Minikube 1.6.2 + Cilium 1.6.5 on Ubuntu 19.10


It's time to refresh one of my Minikube installations- I'd like to play around with Cilium some more and Minikube is the most direct route to a functioning test cluster. The last time I set up a Minikube/Cilium was back in 2018 and I hope the installation is more streamlined now.

My purpose in this is to minimize what is installed to my host workstation. I prefer a greater degree of isolation between my host and experiments.


Unifi server controller stops working after upgrade to 5.12.35-12979-1


While upgrading my home network's Unifi server installation I found that the upgrade hung for an abnormally long time and after it 'finished' the web console would not load. Investigating further it appears that somehow the port configuration for Mongo changed in this (or a prior?) version of the Unifi software which lead to it not being able to communicate with the Mongo Server. When addressing this configuration issue I found I had a disk space issue to contend with, so it's been a 'fun' morning.


Work-around: Docker Volumes on Windows without File and Print Sharing


We encountered an issue where a developer was trying to use Docker Desktop for Windows and kept getting a message about being unable to share their local volume. Company security policy disabled File and Printer Sharing at the firewall level which left us with some trouble for people trying to develop in docker on Windows Desktop.

To see the helper script, head over to the github repo


Windows 10: Disable persistent WiFi Auto-connect


I had an issue where WiFi auto-connect could not be disabled for a corporate WPA2-E network ("Connect automatically when in range" setting was not persisted). This can be an issue if you want to minimize your exposure to WiFi phishing attacks a-la WiFi Pineapple. Searching around I found a way that seems to let me disable the auto-connect.


How to set a pre-existing docker container to start on boot


Sometimes I forget to set the --restart=always on docker containers that should be persistent. Fortunately for me the creators of docker anticipated my use case and provide a quick way for me to rectify the issue.


Work-around for poor handling of High DPI screens in VMWare Workstation 14 (Kali Linux)


VMWare Workstation 14 does a poor job of handling High DPI screens. Linux VMs running on a laptop with a HiDPI screen don't display at the expected full-size. One way to work around this is using xrandr and display scaling from within the Virtual machine.


Lock down AWS Fargate networking when using ECR as an image repository (VPC Endpoints)


We setup an 'internal only' Fargate task the other day that locked down all outbound egress traffic. This required more effort than anticipated and I want to have some reference I can look back on in case I run into this issue again.

Updated: September 2019 to include notes on how other VPC Endpoints can impact Fargate tasks


Bitlocker asks to verify recovery key after switch to/from legacy boot


We ran out of disk space on an old Dell Latitude E5530 and wanted to upgrade without reinstalling Windows and applications. Clonezilla and an external SATA/USB drive enclosure were used to duplicate the disk.

Once the new disk was installed we had an issue where windows would not boot without validating the bitlocker encryption key. Unfortunately for us we hadn't backed up the recovery key. Fortunately, we were able to get around this issue.