如何安全地向SQLServer2017 Linux Docker容器提供SA密码? [英] How can I securely provide SA password to SQLServer2017 linux Docker container?
问题描述
Docker的常见设置:两个linux容器,一个是使用EntityFramework的.NET Core WebServer,另一个是MS-SQLServer2017。持久性数据保存在Docker卷中。使用 docker-compose ,它不是一群。
A common setup with Docker: Two linux containers, one a .NET Core WebServer using EntityFramework, the other a MS-SQLServer 2017. Persistent data is being held in a Docker volume. Using docker-compose, it's not a swarm.
启动SQLServer容器时,必须提供SA密码作为容器的环境变量。无论您提供了什么,以后都可以使用 docker container inspect 从容器外部读取此env。显然会损害安全性。
When starting the SQLServer container, one must provide the SA password as an environment variable to the container. However you provide that, it is possible to later read this env from outside the container using docker container inspect. Which obviously compromises security.
这使我想到两个问题:
-
有什么更好的方法可以向SQLServer提供SA密码?
(在另一个线程)微软帮助指出,最好在启动容器后立即更改SA密码。当我在WebServer代码中执行此操作时,EntityFramework已经使用默认的SA密码(我作为env提供的密码)连接了。我可以轻松更改密码。但是,如何告诉EntityFramework重置其ConnectionString? (有关链接线程的更多信息)
(discussed in another thread) The Microsoft help states that it's best to change the SA password directly after starting the container. When I do that in my WebServer code, EntityFramework is already connected with the default SA password (the one I provided as env). I can change the password easily. But how can I tell EntityFramework to reset it's ConnectionString? (more on that in the linked thread)
推荐答案
- 有什么更好的方法可以向SQLServer提供SA密码?
为此,您需要使用单个容器群。完成此操作后,您可以使用 Docker机密来传递您的凭据。 / p>
You need to use a single-container swarm for that. Once you do that, you can use Docker Secrets to pass in your credentials.
- Microsoft帮助指出,最好在启动容器后立即更改SA密码。当我在WebServer
代码中执行此操作时,EntityFramework已经使用默认的SA
密码(我以env提供的密码)连接。我可以轻松地更改密码
。但是如何告诉EntityFramework重置
ConnectionString?
单个容器群解决了这个问题。每次更新您的秘密时,Docker都会终止所有使用修改后的密码的容器,并使用新密码重新初始化它们。此外,泊坞窗会自动执行。肯定会有停机时间,为防止停机,您可以放置两个容器并启动滚动升级您的服务。
A single-container swarm solves this problem automatically. Every time you update your secret, docker terminates all the containers that use the modified secret and reinitializes them with the new secret. Also, docker does it automatically. There would definitely be downtime and to prevent that, you can put two containers and start a rolling upgrade of your service.
编辑:采用群体模式,您不必担心更改 docker-compose 文件,因为相同的文件(带有添加的字段)可以用作 docker-stack 文件。
With swarm mode, you don't have to worry about changing your docker-compose file because the same file, with some added fields, can serve as you docker-stack file.
这篇关于如何安全地向SQLServer2017 Linux Docker容器提供SA密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
