泊坞窗和保护密码 [英] Docker and securing passwords

问题描述

我最近一直在尝试用泊坞建设一些服务摆弄一件事，一直唠叨我已经把密码在Dockerfile。我是一名开发人员，所以在源存储密码感觉就像在脸上打了一拳。如果这甚至忧虑？是否有关于如何处理Dockerfiles密码的任何好的约定？

I've been experimenting with Docker recently on building some services to play around with and one thing that keeps nagging me has been putting passwords in a Dockerfile. I'm a developer so storing passwords in source feels like a punch in the face. Should this even be a concern? Are there any good conventions on how to handle passwords in Dockerfiles?

推荐答案

绝对是一个问题。 Dockerfiles通常签入到存储库并与其他人分享。更好的方法是在运行时提供任何凭据（用户名，密码，令牌，任何敏感的）为环境变量。

Definitely it is a concern. Dockerfiles are commonly checked in to repositories and shared with other people. A better way is to provide any credentials (usernames, passwords, tokens, anything sensitive) as environment variables at runtime.

据我所知有使用敏感数据作为构建过程的一部分，没有最佳模式。其实，我有一个<一个href=\"http://stackoverflow.com/questions/26005028/how-to-idiomatically-access-sensitive-data-when-building-a-docker-image\">SO问题的关于这一主题。您可以使用泊坞窗，壁球来消除图像中的图层。但是，有一个在码头工人为此没有原生的功能。

AFAIK there is no optimal pattern for using sensitive data as part of the build process. In fact, I have an SO question on this topic. You can use docker-squash to remove layers from an image. But there's no native functionality in Docker for this purpose.

您可能会发现shykes 评论有用。

You may find shykes comments on config in containers useful.

这篇关于泊坞窗和保护密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！