如何将秘密数据传递给容器 [英] How can I pass secret data to a container
问题描述
我的Tomcat容器需要对数据库访问必须有良好保护的数据,即密码,单个登录到其他系统的证书和密钥 。
My Tomcat Container needs data that has to be well protected, i.e. passwords for database access and certificates and keys for Single Sign On to other systems.
我看到一些建议,使用 -e
或 -env-file
将秘密数据传递到容器,但是可以使用docker检查( -env-file
发现docker检查中的文件的所有属性)。
I´ve seen some suggestions to use -e
or -env-file
to pass secret data to a container but this can be discovered with docker inspect (-env-file
also shows all the properties of the file in docker inspect).
另一种方法是将数据容器与秘密链接到服务容器,但我不喜欢拥有此数据容器的概念在我的注册表(可以访问更广泛的人)。我知道我可以设置一个私人注册表,但是我需要不同的注册表进行测试和生产,而且每个访问生产注册表的人都可以访问秘密数据。
Another approach is to link a data container with the secrets to the service container but I don´t like the concept of having this data container in my registry (accessible for a broader range of people). I know I can set up a private registry, but I would need different registries for test and production and still everyone with access to the production registry could access the secret data.
我正在考虑使用包含秘密数据的目录来设置我的服务器,并且将将秘密数据装入我的容器。这对于具有不同秘密的测试和生产服务器将会很好地工作。但是,它创建了容器对我的特定服务器的依赖。
I´m thinking about setting up my servers with a directory that contains the secret data and to mount the secret data into my containers. This would work nicely with test- and production servers having different secrets. But it creates a dependency of the containers to my specific servers.
所以我的问题是:如何处理秘密数据,这个问题的最佳解决方案是什么?
So my question is: How do you handle secret data, what´s the best solution to that problem?
推荐答案
更新January 2017
Update January 2017
Docker 1.13现在有命令<一个href =https://docs.docker.com/engine/swarm/secrets/ =nofollow noreferrer> docker secret
与docker swarm 。
另请参见为什么 ARG
code> DOCKERFILE 不推荐传递秘密?。
Docker 1.13 now has the command docker secret
with docker swarm.
See also "Why is ARG
in a DOCKERFILE
not recommended for passing secrets?".
原始答案(2015年9月)
Original answer (Sept 2015)
docker vault
的概念,由 Adrian Mouat 他之前的答案 ,在 issue 1030 (讨论继续在问题13490 )。
The notion of docker vault
, alluded to by Adrian Mouat in his previous answer, was actively discussed in issue 1030 (the discussion continues on issues 13490).
现在被拒绝接受停泊码头的范围,但也包括:
It was for now rejected as being out of scope for docker, but also included:
我们提出了一个简单的解决方案:一个通过单个
RUN
命令执行的bash脚本,下载来自本地HTTP服务器的私钥执行一个给定的命令,然后删除密钥。
We've come up with a simple solution to this problem: A bash script that once executed through a single
RUN
command, downloads private keys from a local HTTP server, executes a given command and deletes the keys afterwards.
由于我们在一个 RUN
,图像中没有缓存。以下是Dockerfile中的内容:
Since we do all of this in a single RUN
, nothing gets cached in the image. Here is how it looks in the Dockerfile:
RUN ONVAULT npm install --unsafe-perm
我们围绕这个概念的第一个实现可以在
dockito / vault
。
为了在本地开发图像,我们使用运行Dockito Vault作为服务的自定义开发框。
To develop images locally we use a custom development box that runs the Dockito Vault as a service.
唯一的缺点是需要HTTP服务器运行,所以没有Docker集线器构建。
The only drawback is requiring the HTTP server running, so no Docker hub builds.
这篇关于如何将秘密数据传递给容器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!