Potential miner inside supabase/postgres image
andrasbacsai opened this issue · 3 comments
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
I do not have deep nix knowledge. What is sure that these files are also reported by server providers when Coolify users self-host Supabase.
Hey, I am the dev behind Coolify. Some of my users reported that a miner (xmrig) is included in the Nix packages of the Supabase/Postgres Docker image. It is probably in one of the dependencies imo.
Several files suggest it's partly true; however, the binary is missing (though this doesn't mean it's not there somewhere, with diff name).
/nix/store/.links/06db4afl3pag5bp7icynaxmrigksxyxhl64pjsfjagmrcsi57v2f
/nix/store/0jcxirm8wdmqrdqs7ay71qj2yc4ky9zq-source/nixos/modules/services/misc/xmrig.nix
/nix/store/0jcxirm8wdmqrdqs7ay71qj2yc4ky9zq-source/pkgs/applications/misc/xmrig
``
Just adding what I shared with Andras on Discord here.
Do note it might not be directly included in supabase/postgres but rather NixOS itself which is used for many Nix packages NixOS/nixpkgs#142891
By defaut it's not a running service, you have to enable it with a config. https://www.reddit.com/r/Monero/comments/qqt68f/xmrig_is_now_available_as_a_nixos_service/
To clarify, this is not only not a running service but not it is not even installed. It is just that nixpkgs repository has been included for some reason as part of the image, and it contains build definitions for almost any software you can think of
I tested images supabase/postgres:15.8.1.057 and supabase/postgres:17.0.1.050-orioledb - they seem to no longer include nixpkgs
I don't think that there is anything actionable here and this issue should be closed
Closed this was resolved with recent releases that add some steps to docker image builds to clear out extra source files. These steps were already part of our ami image builds. Thanks to you all for making us aware never the less 🙏