Docker和保密密码 [英] Docker and securing passwords

问题描述

最近我一直在试验Docker，打造一些服务来玩耍，有一件事情让我呕吐，一直把密码放在Docker文件中。我是一名开发人员，所以在源代码中存储密码就像一脸冲击。这甚至应该是一个问题吗？有没有关于如何处理Dockerfiles中的密码的好习惯？

解决方案

绝对是一个问题。 Dockerfiles通常被检入存储库并与其他人共享。另一种方法是提供任何凭据（用户名，密码，令牌，任何敏感的）作为运行时的环境变量。这可以通过 -e 参数（对于CLI上的各个var）或 - env-file 参数（对于一个文件中的多个变量）到 docker run 。

然而，env vars也不是特别安全的。它们通过 docker inspect 可见，因此它们可用于可以运行 docker 命令的任何用户。 （当然，任何有权访问主机上的 docker 的用户也可以使用有root ）

我的首选模式是使用包装器脚本 ENTRYPOINT 或 CMD 。包装器脚本可以在运行时首先将外部位置的秘密导入容器，然后执行应用程序，提供秘密。它的确切机制根据您的运行时环境而有所不同。在AWS中，您可以使用IAM角色的组合，密钥管理服务和S3存储加密的秘密在S3桶。像 HashiCorp Vault 或 credstash 是另一个选项。

AFAIK在构建过程中没有使用敏感数据的最佳模式。事实上，我有一个 SO问题关于这个话题。您可以使用 docker-squash 从图像中删除图层。但是Docker为此没有本机功能。

您可能会发现shykes 对容器中的配置的注释很有用。

I've been experimenting with Docker recently on building some services to play around with and one thing that keeps nagging me has been putting passwords in a Dockerfile. I'm a developer so storing passwords in source feels like a punch in the face. Should this even be a concern? Are there any good conventions on how to handle passwords in Dockerfiles?

解决方案

Definitely it is a concern. Dockerfiles are commonly checked in to repositories and shared with other people. An alternative is to provide any credentials (usernames, passwords, tokens, anything sensitive) as environment variables at runtime. This is possible via the -e argument (for individual vars on the CLI) or --env-file argument (for multiple variables in a file) to docker run.

However, env vars are not particularly secure either. They are visible via docker inspect, and hence they are available to any user that can run docker commands. (Of course, any user that has access to docker on the host also has root anyway.)

My preferred pattern is to use a wrapper script as the ENTRYPOINT or CMD. The wrapper script can first import secrets from an outside location in to the container at run time, then execute the application, providing the secrets. The exact mechanics of this vary based on your run time environment. In AWS, you can use a combination of IAM roles, the Key Management Service, and S3 to store encrypted secrets in an S3 bucket. Something like HashiCorp Vault or credstash is another option.

AFAIK there is no optimal pattern for using sensitive data as part of the build process. In fact, I have an SO question on this topic. You can use docker-squash to remove layers from an image. But there's no native functionality in Docker for this purpose.

You may find shykes comments on config in containers useful.

这篇关于Docker和保密密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！