Unknown container on hosts

ok, here’s an odd one… In all of our environments we keep seeing a container show up that isn’t part of any stack and wasn’t initialized by any user and for which there are no audit entries. It’s the basic docker hello-world image (and I’ve verified this by inspecting the image and container). Odder yet, in every environment and therefore on very different hosts, the container shows up every time with the name “hungry_galileo”.

Any idea what’s going on here? I thought perhaps our environment had been penetrated, but if so, I can’t seem to figure out what the point is.

Any ideas?

That certainly sounds suspicious, like someone is trying to make it look like an innocuous randomly named container… What’s the inspect look like? What kind of files are in it?

It really is the normal docker hello-world image and container. I’ve pulled out the files with a “docker export” and checked each one. I’d say someone on my team was just playing around with the new environment, but until yesterday I was the only one with access to the system.

Anyway, there’s no harm being committed here. i was just wondering if there was some kind of “test” being done by Rancher itself to make sure containers were launchable or something like that.

I guess I’ll just keep an eye on it.

I think i just figured out at least part of the story. All of my AWS Rancher VM’s (both those that run the HA Management Stack and my normal Hosts) descend from the same base AMI and that AMI had docker installed and the installation tested with a simple hello-world run before being turned into a permanent AMI. The resulting hello-world container was called hungry_galileo.

Now the rest is still something I don’t understand. That container exists on all of the hosts in each of my environments but it’s only being automatically run (over and over again., BTW) on one of the hosts. If the container is removed from one hosts, it starts again on another until I’ve removed it cleanly (docker rm -f ) from each host in the environment.

Interesting, but as suspected, not harmful. Sorry to raise an alarm.

So, do you have the container completely cleaned up now or are you unable to get it to completely “go away”?

I’m guessing the issue is related to the fact that this container had the exact same docker id on all hosts and so rancher is effectively getting “confused” when trying to reconcile its state as it sees it disappear on one host but still be reported on another.

Yes. When I realized that the container was an artifact of my AMI setup, I just force removed it everywhere. User error here, as expected, but with an unexpected symptom (i.e. Rancher starting up the container over and over again).