构建Docker映像时如何习惯访问敏感数据？ [英] How to idiomatically access sensitive data when building a Docker image?

问题描述

有时在构建Docker镜像时需要使用敏感数据。例如，API令牌或SSH密钥来下载远程文件或从私有存储库安装依赖关系。可能需要分发所得到的图像，并省略用于构建它的敏感凭据。如何做到这一点？

Sometimes there is a need to use sensitive data when building a Docker image. For example, an API token or SSH key to download a remote file or to install dependencies from a private repository. It may be desirable to distribute the resulting image and leave out the sensitive credentials that were used to build it. How can this be done?

我看过码头工人-squash 可以将多个层压缩到一个，从最终图像中删除任何已删除的文件。但是有一个比较惯用的方法吗？

I have seen docker-squash which can squash multiple layers in to one, removing any deleted files from the final image. But is there a more idiomatic approach?

推荐答案

关于习语方法，我不知道，尽管码头工作人员还很年轻有太多的成语。

Regarding idiomatic approach, I'm not sure, although docker is still quite young to have too many idioms about.

然而，我们在我们公司也有同样的问题。我们已经得出以下结论，尽管这些是我们最大的努力，而不是确定的码头工作最佳实践。

We have had this same issue at our company, however. We have come to the following conclusions, although these are our best efforts rather than established docker best practices.

1）如果您在构建时需要值：提供属性在构建上下文中使用可以在构建中读取的值进行文件化，然后可以在构建后删除属性文件。这不是便携式的，但会做这个工作。

1) If you need the values at build time: Supply a properties file in the build context with the values that can be read at build, then the properties file can be deleted after build. This isn't as portable but will do the job.

2）如果您需要运行时的值：将值作为环境变量传递。对于有权访问ps的人可以看到他们，但是这可以通过SELinux或其他方式进行限制（老实说，我不知道这个过程，我是开发人员，操作团队会处理这个部分）。

2) If you need the values at run time: Pass values as environment variables. They will be visible to someone who has access to ps on the box, but this can be restricted via SELinux or other methods (honestly, I don't know this process, I'm a developer and the operations teams will deal with that part).

这篇关于构建Docker映像时如何习惯访问敏感数据？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！