{"id":13717123,"url":"https://github.com/bottlerocket-os/hotdog","last_synced_at":"2025-05-07T06:31:57.282Z","repository":{"id":41993725,"uuid":"438819602","full_name":"bottlerocket-os/hotdog","owner":"bottlerocket-os","description":"Hotdog is a set of OCI hooks used to inject the Log4j Hot Patch into containers.","archived":true,"fork":false,"pushed_at":"2023-09-18T21:53:42.000Z","size":211,"stargazers_count":41,"open_issues_count":0,"forks_count":11,"subscribers_count":19,"default_branch":"main","last_synced_at":"2024-11-14T05:33:52.180Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bottlerocket-os.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-12-16T01:07:54.000Z","updated_at":"2024-02-16T21:18:16.000Z","dependencies_parsed_at":"2024-01-14T21:28:28.483Z","dependency_job_id":null,"html_url":"https://github.com/bottlerocket-os/hotdog","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bottlerocket-os%2Fhotdog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bottlerocket-os%2Fhotdog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bottlerocket-os%2Fhotdog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bottlerocket-os%2Fhotdog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bottlerocket-os","download_url":"https://codeload.github.com/bottlerocket-os/hotdog/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252826899,"owners_count":21810201,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T00:01:18.231Z","updated_at":"2025-05-07T06:31:56.877Z","avatar_url":"https://github.com/bottlerocket-os.png","language":"Go","funding_links":[],"categories":["Dependency intelligence"],"sub_categories":[],"readme":"# Hotdog\n\nHotdog is a set of OCI hooks used to inject the\n[Log4j Hot Patch](https://github.com/corretto/hotpatch-for-apache-log4j2) into\ncontainers.\n\n:warning: Hotdog is very close to end-of-life.\nIt has been twenty months since CVE-2021-44228 was discovered, and we expect that the vast majority of Java applications have been patched by this time.\nWe're also not aware of any use of Hotdog outside of Bottlerocket, which no longer uses it.\nTherefore, we plan to end-of-life Hotdog by November 2023.\nPlease [open an issue](https://github.com/bottlerocket-os/hotdog/issues/new) if this affects you.\n\n\n## How it works\n\nWhen runc sets up the container, it invokes `hotdog-cc-hook`.  `hotdog-cc-hook`\nbind-mounts the hotpatch files into the container's filesystem at\n`/dev/shm/.hotdog`.  After the main container process starts, runc invokes\n`hotdog-poststart-hook`, which uses `nsenter` to enter the container's\nnamespaces and fork off a `hotdog-hotpatch` process.  `hotdog-hotpatch` runs\nseveral times with decreasing frequency (currently 1s, 5s, 10s, 30s) to detect\nand hotpatch JVMs inside the container.\n\n## Limitations\n\n* Hotdog only provides hotpatching support for Java 8, 11, 15, and 17.\n* Hotdog only runs for a short time at the beginning of a container's lifetime.\n  If new Java processes are started after the `hotdog-hotpatch` process exits,\n  they will not be hot patched.\n* Hotdog only patches processes named \"java\".  If your Java application has a\n  different process name, hotdog will not patch it.\n* Hotdog works best when the container has its own pid namespace.  If hotdog is\n  used with a container that has a shared pid namespace, the `hotdog-hotpatch`\n  might remain for a short time after the container exits.\n* Hotdog injects its components into `/dev/shm/.hotdog` inside the container.\n  If `/dev/shm` does not exist (such as in the case of Docker containers\n  launched with `--ipc=none`), hotdog will not be injected into the container\n  and will not provide hotpatching.\n\n## Installation\n\n### Bottlerocket\n\nHotdog is included by default in Bottlerocket 1.5.0.\n\nHotpatching can be enabled for new launches of Bottlerocket by including the\nfollowing settings in user data.\n\n```toml\n[settings.oci-hooks]\nlog4j-hotpatch-enabled = true\n```\n\nFor existing hosts running the latest version of Bottlerocket, hotpatching can\nbe enabled using the API client.\n\n```shell\napiclient set oci-hooks.log4j-hotpatch-enabled=true\n```\n\nEnabling the setting at runtime has no effect on running containers.\nNewly-launched containers will be hotpatched.\n\n### Other Linux distributions\n\nTo install Hotdog, you need to copy the following files to the right location\nand set the appropriate configuration.\n\n* Copy `Log4jHotPatch.jar` to `/usr/share/hotdog` (if you build the hotpatch\n  from source, you'll find it in `build/libs`)\n* Run `make \u0026\u0026 sudo make install` to install `hotdog-cc-hook` and\n  `hotdog-poststart-hook` to `/usr/libexec/hotdog` and `hotdog-hotpatch` to\n  `/usr/share/hotdog`\n* Install [`oci-add-hooks`](https://github.com/awslabs/oci-add-hooks/)\n* Configure `oci-add-hooks` with the hotdog hooks by writing the following\n  contents to `/etc/hotdog/config.json`:\n  ```json\n  {\n    \"hooks\": {\n      \"prestart\": [{\n        \"path\": \"/usr/libexec/hotdog/hotdog-cc-hook\"\n      }],\n      \"poststart\": [{\n        \"path\": \"/usr/libexec/hotdog/hotdog-poststart-hook\"\n      }]\n    }\n  }\n  ```\n* Configure Docker to use the hooks by writing the following contents into\n  `/etc/docker/daemon.json`:\n  ```json\n  {\n    \"runtimes\": {\n      \"hotdog\": {\n        \"path\": \"oci-add-hooks\",\n        \"runtimeArgs\": [\n          \"--hook-config-path\", \"/etc/hotdog/config.json\",\n          \"--runtime-path\", \"/usr/sbin/runc\"\n        ]\n      }\n    }\n  }\n  ```\n\nTo run a container with hotpatching enabled, specify\n`docker run --runtime hotdog`.  To run with hotpatching enabled by default in\nall containers, add the following contents to `/etc/docker/daemon.json`:\n```\n\"default-runtime\": \"hotdog\"\n```\nIf you wish to opt-out of `hotdog` even when it is enabled by default, specify\n`--runtime runc`.\n\n## Troubleshooting\n\n`hotdog` will add several files to the `/dev/shm/.hotdog` directory in each\ncontainer.  You can find the log from `hotdog-hotpatch` in\n`/dev/shm/hotdog.log`.\n\n## Security\n\nSee [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.\n\n## License\n\nThis project is licensed under the Apache-2.0 License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbottlerocket-os%2Fhotdog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbottlerocket-os%2Fhotdog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbottlerocket-os%2Fhotdog/lists"}