RFE: Better way to pass secret data into container

[hhorak]

Current way of passing passwords using -e is not the best one, since even root (or whoever can talk to docker socket) should be able to read the passwords. However, with -e way, even if the variable is unset inside the container, one can read the value from docker inspect output.

This issue is meant to track an RFE to be able to specify password somehow differently, maybe in addition to the current -e option. This new way shouldn't allow to see the password even for docker admin/root.

[bparees]

from an openshift perspective the better approach is to use Secrets and have the image read the password from the mounted secret. (and in a non-openshift/k8s environment, users could still mount to the secret path themselves to provide the password/config) but as you say, it should be in addition to environment.

[mfojtik]

@bparees @hhorak I thought there is already some work being done in Docker to provide some secret store... @csrwng had a link to a repo with this.. but I don't think this will come anytime soon.

[hhorak]

@bparees I guess you mean this feature: https://docs.openshift.com/enterprise/3.0/dev_guide/secrets.html Without deeper knowledge of OpenShift I'm not sure whether I understand it correctly, what happens from image PoV in this case? Is the file volume-mounted into there?

@mfojtik This might be the summary of unfinished work related: moby/moby#13490

[mfojtik]

It also depends on what you consider secret. For things like MYSQL_PASSWORD
and MYSQL_ADMIN_PASSWORD I don't think we will switch to a secret store or
a volume mount with secrets anytime soon. The problem is that when you link
container via Docker (or via k8s services), you want to have all
environment variables set for the containers that are consuming this
service. In Docker case, you want the linked container be able to connect
to the linked MySQL. The application can access the passwords via
environment variables, which is the simplest way to access them. If you
move the passwords to a secret volume, you will basically tell the
application developers to read them from a file which will decrease the
user-experience a lot and it will be against the 'docker' approach.

In OpenShift we use secrets to store things like SSL certificates, tokens
or configuration files like '.dockercfg'. I don't consider MYSQL_PASSWORD
as 'secret' of that env var exists only in your namespace and only people
with 'view' access can see it and people that have 'root' access to the
node that run the container can see it.

-- Michal

On Wed, Sep 9, 2015 at 8:48 AM, Honza Horak [email protected]
wrote:

@bparees https://github.com/bparees I guess you mean this feature:
https://docs.openshift.com/enterprise/3.0/dev_guide/secrets.html Without
deeper knowledge of OpenShift I'm not sure whether I understand it
correctly, what happens from image PoV in this case? Is the file
volume-mounted into there?

@mfojtik https://github.com/mfojtik This might be the summary of
unfinished work related: moby/moby#13490
moby/moby#13490

—
Reply to this email directly or view it on GitHub
#91 (comment).

---

Michal Fojtik <[email protected] [email protected]>
Red Hat OpenShift, Engineering

[bparees]

@hhorak yes the file gets volume-mounted there and the image can reference it.