Be careful with default postgres password, kdevtmpfsi

[juanpabloaj]

Maybe this topic is not related to the book, but It happened to me when I was trying the code and maybe it could happen to another person.

TL;DR: Postgres with default or weak passwords could be an open door to malware. be careful with that.

I was trying the code in Digitalocean's virtual machine, I was using it with the default Postgres credentials.

A few hours later, I saw a process eating all the CPU, the name of the process kdevtmpfsi.

Long story short, after a quick search in google: kdevtmpfsi is a malware miner.

I deleted the virtual machine and, I created another one from scratch avoiding exposing the database.

To avoid exposing the database I updated the docker-compose file

# docker-compose.yml
version: "3.2"
services:
  db:
    image: postgres:latest
    restart: always
    environment:
      POSTGRES_PASSWORD: "postgres"
    #ports:
      #- 5432:5432
    volumes:
      - ./postgres_data:/var/lib/postgresql/data

  elixir:
    image: elixir:1.12
    command: |
      bash -c "
        mix local.hex --force && \
        mix local.rebar --force && \
        mix deps.get && \
        mix ecto.create  && \
        mix ecto.migrate && \
        tail -f /var/log/faillog
      "
    environment:
      POSTGRES_HOST: db
      BINANCE_API_KEY: ${BINANCE_API_KEY}
      BINANCE_SECRET_KEY: ${BINANCE_SECRET_KEY}
      ERL_AFLAGS: "-kernel shell_history enabled"
    depends_on:
      - db
    stdin_open: true
    tty: true
    working_dir: /app
    volumes:
      - .:/app

With that, you could run the code in the elixir container with

docker-compose up -d
docker-compose exec elixir iex -S mix

I hope that it could be useful.

If this topic is too far away from the book please close it.

Related links

• kdevtmpfsi process consuming cpu on postgres:13 image
• kdevtmpfsi malware miner found in 12-Alpine docker

[Cinderella-Man]

Hi @juanpabloaj 👋

Thank you very much for flagging this. It looks like you made a few changes to the docker file(fixed the issue but also added an elixir instance) - to be sure, the actual fix is to comment out the exposing of the Postgres instance's ports? I thought this is required so the other containers will be able to access it 🤔 I need to check this out as if it works, I will update this in the book 🙏

[juanpabloaj]

to be sure, the actual fix is to comment out the exposing of the Postgres instance's ports?

In this docker-compose file, the database doesn't expose the port to the host, the database's port is only available for the containers in the same containers' network, like the elixir container.

you can check it with this command

$ docker-compose ps
           Name                         Command              State    Ports
-----------------------------------------------------------------------------
db_1       docker-entrypoint.sh postgres   Up      5432/tcp
elixir_1   bash -c                         Up

The previous docker-compose created another behavior for the database port. With the previous docker-compose the database' port was exposed as a host' port.

$ docker-compose ps
    Name                   Command              State           Ports
------------------------------------------------------------------------------
db_1   docker-entrypoint.sh postgres   Up      0.0.0.0:5432->5432/tcp

I am not sure If this is the best approach, it was a quick fix for me, maybe it could be a little confusing for someone new with docker.

And in this case, to use the code you need to use the iex inside of the elixir container. Only the elixir container could access the database.

It could be useful if you prefer to avoid installing elixir on your computer or if you feel comfortable working with containers but could be a little confusing (in my opinion).

I created this discussion to try to warn other readers of the book, maybe a warning in the book about being careful with weak passwords could be enough.

[Cinderella-Man]

I really appreciate that you created this topic ❤️

I will update the book and the source code to use a custom password which will be a good start. I will also add a note that will warn people about the "default" passwords.

As a side note - I think I will use parts of your docker-compose file in the deployment chapter in the future and describe the fact that they could drop the part of the exposing port which is really cool and a proper fix to this issue 😎