如何将秘密数据传递给容器 [英] How can I pass secret data to a container

问题描述

我的Tomcat容器需要对数据库访问必须有良好保护的数据，即密码，单个登录到其他系统的证书和密钥 。

My Tomcat Container needs data that has to be well protected, i.e. passwords for database access and certificates and keys for Single Sign On to other systems.

我看到一些建议，使用 -e 或 -env-file 将秘密数据传递到容器，但是可以使用docker检查（ -env-file 发现docker检查中的文件的所有属性）。

I´ve seen some suggestions to use -e or -env-file to pass secret data to a container but this can be discovered with docker inspect (-env-file also shows all the properties of the file in docker inspect).

另一种方法是将数据容器与秘密链接到服务容器，但我不喜欢拥有此数据容器的概念在我的注册表（可以访问更广泛的人）。我知道我可以设置一个私人注册表，但是我需要不同的注册表进行测试和生产，而且每个访问生产注册表的人都可以访问秘密数据。

Another approach is to link a data container with the secrets to the service container but I don´t like the concept of having this data container in my registry (accessible for a broader range of people). I know I can set up a private registry, but I would need different registries for test and production and still everyone with access to the production registry could access the secret data.

我正在考虑使用包含秘密数据的目录来设置我的服务器，并且将将秘密数据装入我的容器。这对于具有不同秘密的测试和生产服务器将会很好地工作。但是，它创建了容器对我的特定服务器的依赖。

I´m thinking about setting up my servers with a directory that contains the secret data and to mount the secret data into my containers. This would work nicely with test- and production servers having different secrets. But it creates a dependency of the containers to my specific servers.

所以我的问题是：如何处理秘密数据，这个问题的最佳解决方案是什么？

So my question is: How do you handle secret data, what´s the best solution to that problem?

推荐答案

更新January 2017

Update January 2017

Docker 1.13现在有命令<一个href =https://docs.docker.com/engine/swarm/secrets/ =nofollow noreferrer> docker secret 与docker swarm 。

另请参见为什么 ARG code> DOCKERFILE 不推荐传递秘密？。

Docker 1.13 now has the command docker secret with docker swarm.
See also "Why is ARG in a DOCKERFILE not recommended for passing secrets?".

原始答案（2015年9月）

Original answer (Sept 2015)

docker vault 的概念，由 Adrian Mouat 他之前的答案 ，在 issue 1030 （讨论继续在问题13490 ）。

The notion of docker vault, alluded to by Adrian Mouat in his previous answer, was actively discussed in issue 1030 (the discussion continues on issues 13490).

现在被拒绝接受停泊码头的范围，但也包括：

It was for now rejected as being out of scope for docker, but also included:

我们提出了一个简单的解决方案：一个通过单个 RUN 命令执行的bash脚本，下载来自本地HTTP服务器的私钥执行一个给定的命令，然后删除密钥。

We've come up with a simple solution to this problem: A bash script that once executed through a single RUN command, downloads private keys from a local HTTP server, executes a given command and deletes the keys afterwards.

由于我们在一个 RUN ，图像中没有缓存。以下是Dockerfile中的内容：

Since we do all of this in a single RUN, nothing gets cached in the image. Here is how it looks in the Dockerfile:

RUN ONVAULT npm install --unsafe-perm

我们围绕这个概念的第一个实现可以在 dockito / vault 。

为了在本地开发图像，我们使用运行Dockito Vault作为服务的自定义开发框。

To develop images locally we use a custom development box that runs the Dockito Vault as a service.

唯一的缺点是需要HTTP服务器运行，所以没有Docker集线器构建。

The only drawback is requiring the HTTP server running, so no Docker hub builds.

这篇关于如何将秘密数据传递给容器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！