Answer the question
In order to leave comments, you need to log in
Passing secrets (keys, passwords, tokens) to docker run/build - which is safer?
Conditions:
- there are projects with dependency managers (composer, npm)
- some dependencies are in private repositories with ssh access
- there are passwords / access tokens to external services (DBMS for example)
- the build is launched from a linux user whose home directory contains the required key
- the container is launched from a linux user whose environment variables contain the required password
- both the build and the launch of the container take place on a remote machine (DOCKER_HOST, etc. are configured)
Required:
a) build images in the Dockerfile that have dependency installation commands like {composer|npm} install from private git/composer/npm repositories
b) start containers with password passing to them
c) images should not contain traces of the key / password
d) there should not be traces of the key / password in the environment variables of the running container (daemon as a rule), the password should be in a local (not volum) file that dies with the container
All methods, those found in the Docker documentation that can pass a value or a file are either marked in the documentation as unsafe, or only work with the local daemon, not the remote one. As a temporary solution within the framework of the bench network, we pass everything through environment / build variables, but the documentation does not recommend this for production.
Who uses what in practice?
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question