Docker 和保护密码 [英] Docker and securing passwords

问题描述

我最近一直在尝试使用 Docker 来构建一些可以使用的服务，而一直困扰我的一件事是将密码放入 Dockerfile 中.我是一名开发人员，因此在源代码中存储密码感觉就像是一拳.这应该是一个问题吗?关于如何处理 Dockerfiles 中的密码，有什么好的约定吗?

I've been experimenting with Docker recently on building some services to play around with and one thing that keeps nagging me has been putting passwords in a Dockerfile. I'm a developer so storing passwords in source feels like a punch in the face. Should this even be a concern? Are there any good conventions on how to handle passwords in Dockerfiles?

推荐答案

这绝对是一个问题.Dockerfiles 通常被签入存储库并与其他人共享.另一种方法是提供任何凭据(用户名、密码、令牌、任何敏感信息)作为运行时的环境变量.这可以通过 -e 参数(对于 CLI 上的单个变量)或 --env-file 参数(对于文件中的多个变量)到 docker运行.阅读 this 以使用 docker-compose 环境.

Definitely it is a concern. Dockerfiles are commonly checked in to repositories and shared with other people. An alternative is to provide any credentials (usernames, passwords, tokens, anything sensitive) as environment variables at runtime. This is possible via the -e argument (for individual vars on the CLI) or --env-file argument (for multiple variables in a file) to docker run. Read this for using environmental with docker-compose.

使用 --env-file 绝对是一个更安全的选择，因为这可以防止出现在 ps 或日志中的秘密，如果使用 set -x.

Using --env-file is definitely a safer option since this protects against the secrets showing up in ps or in logs if one uses set -x.

然而，环境变量也不是特别安全.它们通过 docker inspect 可见，因此任何可以运行 docker 命令的用户都可以使用它们.(当然，任何可以访问主机上 docker 的用户也无论如何都有根.)

However, env vars are not particularly secure either. They are visible via docker inspect, and hence they are available to any user that can run docker commands. (Of course, any user that has access to docker on the host also has root anyway.)

我的首选模式是使用包装脚本作为 ENTRYPOINT 或 CMD.包装器脚本可以首先在运行时从外部位置将机密导入容器，然后执行应用程序，提供机密.其确切机制因您的运行时环境而异.在 AWS 中，您可以使用 IAM 角色、密钥管理服务和 S3 的组合来存储加密的S3 存储桶中的机密.类似于 HashiCorp Vault 或 credstash 是另一种选择.

My preferred pattern is to use a wrapper script as the ENTRYPOINT or CMD. The wrapper script can first import secrets from an outside location in to the container at run time, then execute the application, providing the secrets. The exact mechanics of this vary based on your run time environment. In AWS, you can use a combination of IAM roles, the Key Management Service, and S3 to store encrypted secrets in an S3 bucket. Something like HashiCorp Vault or credstash is another option.

AFAIK 没有在构建过程中使用敏感数据的最佳模式.事实上，我有一个 SO 问题 关于这个话题.您可以使用 docker-squash 从图像中删除图层.但是 Docker 中没有用于此目的的本机功能.

AFAIK there is no optimal pattern for using sensitive data as part of the build process. In fact, I have an SO question on this topic. You can use docker-squash to remove layers from an image. But there's no native functionality in Docker for this purpose.

您可能会发现 shykes 对容器中的配置的评论 有用.

You may find shykes comments on config in containers useful.

这篇关于Docker 和保护密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！