泊坞窗和保护密码 [英] Docker and securing passwords
问题描述
我最近一直在尝试用泊坞建设一些服务摆弄一件事,一直唠叨我已经把密码在Dockerfile。我是一名开发人员,所以在源存储密码感觉就像在脸上打了一拳。如果这甚至忧虑?是否有关于如何处理Dockerfiles密码的任何好的约定?
I've been experimenting with Docker recently on building some services to play around with and one thing that keeps nagging me has been putting passwords in a Dockerfile. I'm a developer so storing passwords in source feels like a punch in the face. Should this even be a concern? Are there any good conventions on how to handle passwords in Dockerfiles?
推荐答案
绝对是一个问题。 Dockerfiles通常签入到存储库并与其他人分享。更好的方法是在运行时提供任何凭据(用户名,密码,令牌,任何敏感的)为环境变量。
Definitely it is a concern. Dockerfiles are commonly checked in to repositories and shared with other people. A better way is to provide any credentials (usernames, passwords, tokens, anything sensitive) as environment variables at runtime.
据我所知有使用敏感数据作为构建过程的一部分,没有最佳模式。其实,我有一个<一个href=\"http://stackoverflow.com/questions/26005028/how-to-idiomatically-access-sensitive-data-when-building-a-docker-image\">SO问题的关于这一主题。您可以使用泊坞窗,壁球来消除图像中的图层。但是,有一个在码头工人为此没有原生的功能。
AFAIK there is no optimal pattern for using sensitive data as part of the build process. In fact, I have an SO question on this topic. You can use docker-squash to remove layers from an image. But there's no native functionality in Docker for this purpose.
您可能会发现shykes 评论有用。
You may find shykes comments on config in containers useful.
这篇关于泊坞窗和保护密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!