mysql-container
mysql-container copied to clipboard
sclorg
RFE: Better way to pass secret data into container
Current way of passing passwords using -e is not the best one, since even root (or whoever can talk to docker socket) should be able to read the passwords. However, with -e way, even if the variable is unset inside the container, one can read the value from docker inspect output.
This issue is meant to track an RFE to be able to specify password somehow differently, maybe in addition to the current -e option. This new way shouldn't allow to see the password even for docker admin/root.
from an openshift perspective the better approach is to use Secrets and have the image read the password from the mounted secret. (and in a non-openshift/k8s environment, users could still mount to the secret path themselves to provide the password/config) but as you say, it should be in addition to environment.
@bparees @hhorak I thought there is already some work being done in Docker to provide some secret store... @csrwng had a link to a repo with this.. but I don't think this will come anytime soon.
@bparees I guess you mean this feature: https://docs.openshift.com/enterprise/3.0/dev_guide/secrets.html Without deeper knowledge of OpenShift I'm not sure whether I understand it correctly, what happens from image PoV in this case? Is the file volume-mounted into there?
@mfojtik This might be the summary of unfinished work related: https://github.com/docker/docker/issues/13490
It also depends on what you consider secret. For things like MYSQL_PASSWORD and MYSQL_ADMIN_PASSWORD I don't think we will switch to a secret store or a volume mount with secrets anytime soon. The problem is that when you link container via Docker (or via k8s services), you want to have all environment variables set for the containers that are consuming this service. In Docker case, you want the linked container be able to connect to the linked MySQL. The application can access the passwords via environment variables, which is the simplest way to access them. If you move the passwords to a secret volume, you will basically tell the application developers to read them from a file which will decrease the user-experience a lot and it will be against the 'docker' approach.
In OpenShift we use secrets to store things like SSL certificates, tokens or configuration files like '.dockercfg'. I don't consider MYSQL_PASSWORD as 'secret' of that env var exists only in your namespace and only people with 'view' access can see it and people that have 'root' access to the node that run the container can see it.
-- Michal
On Wed, Sep 9, 2015 at 8:48 AM, Honza Horak [email protected] wrote:
@bparees https://github.com/bparees I guess you mean this feature: https://docs.openshift.com/enterprise/3.0/dev_guide/secrets.html Without deeper knowledge of OpenShift I'm not sure whether I understand it correctly, what happens from image PoV in this case? Is the file volume-mounted into there?
@mfojtik https://github.com/mfojtik This might be the summary of unfinished work related: docker/docker#13490 https://github.com/docker/docker/issues/13490
— Reply to this email directly or view it on GitHub https://github.com/openshift/mysql/issues/91#issuecomment-138806056.
Michal Fojtik <[email protected] [email protected]> Red Hat OpenShift, Engineering
@hhorak yes the file gets volume-mounted there and the image can reference it.