I have a question regarding security of fly apps. Given I have a container I deploy. The container is build as a scratch image and does not have an OS or Filesystem. Just a statically linked binary in it.
On a docker host this would be pretty secure as there is not way to break into the container and create a shell. Read environment secrets or files. Sure still the application binary need to be protected. That one could be missued.
Since fly does not run containers but create vm, what does exist in this VM. If someone break into it, is there a shell? Could the environment variables are read? There fly does store the secrets of your deployment.
I couldn’t fine any info about that on the public website.
Yes, you can get a shell, e.g. fly ssh console will give you a shell on one of your app’s Machines. The environment can be read. Secrets are actually stored in a system called Petsem (a replacement we built for HashiCorp’s Vault), and injected into Machines.
as much as I hate to say it: the premise of the question is incorrect.
indeed, in both cases, if a /bin/sh or equivalent (or /etc/passwd in a Fly Machine) is not present in the image, it is not possible to spawn an interactive shell - but it is absolutely still possible to read data from the running container.
both from a docker host and from a Fly Machine host, it is possible to inspect memory of a process running in the container, and gain access to secrets/files.
the difference between a docker container and a Fly Machine in this case is that the host Linux kernel is not accessible from a Fly Machine.
in a docker container, the compromise of the kernel would allow for access to other containers, but in a Fly Machine it would only allow for access to other things running in the same Machine (which, there aren’t any).
tl;dr: in both cases an attacker on the host can read secrets from containers. in the Fly Machine case, it is significantly harder (I won’t say impossible) for an attacker inside a container to escape to the host.