Better support for managing secrets in ‘regular’ containers would be a welcome addition to the Docker ecosystem.This is part of a common docker-compose.yml which is frequently seen on the internet version: '3' In addition, Docker’s surrounding mechanisms for dynamically managing secrets aren’t available when running ‘regular’ containers.Īs it currently stands, the recommended way to launch MySQL containers is very much the same as before: Use the MYSQL_RANDOM_ROOT_PASSWORD and MYSQL_ONETIME_PASSWORD mechanisms for MySQL 5.6 and newer. All the typical problems with regards to mounting password files would apply here as well. This isn’t much more than what is already available in Docker, only that it’s now branded under the secrets name, giving it a (dangerous) sense of security when it really isn’t secure. As can be seen, it’s a simple bind-mount that mounts the password file into the container, with a few special permissions such as making the file read-only. However, a docker inspect shows us what’s really happening under the hood. CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESĪaf5d45eb2fe mysql/mysql-server:latest "/entrypoint.sh my." 24 seconds ago Up 24 seconds 3306/tcp, 33060/tcp mysqlĪll apparently seems well, our container is running and we can connect to the MySQL server with the root password we set. my_secret.txt file with a test password and use docker-compose up -d to create our container. We overlook this weakness for now and create the. The weakness here is that this file has to hold the secret in plain text. The observant reader may have spotted that the secret points to a file on the host computer’s file system. MYSQL_ROOT_PASSWORD: /run/secrets/my_secret We’ll define our secret in the bottom section, and tell MySQL to use that secret as the root password. Setting up a container with a secret using Docker Compose is relatively straightforward. However, when run with ‘regular’ containers, the secrets are much less secure, as we shall see. Docker also provides tools for granting access to additional secrets, revoking access, and rotating secrets. The Docker Secrets documentation states that when running in Swarm mode, secrets are securely stored in the encrypted Raft log and replicated to the other Swarm managers. We thought we’d check out whether this could be used for management of passwords in MySQL containers. It has been stated that this feature only works with Docker Swarm, but the Docker Compose documentation gives the impression that you can leverage the secrets framework on ‘regular’ containers through the use of Docker Compose. This will lead to only limited exposure of the password in the presumably short interval between container init and first time use, and is thus strongly recommended over the other available options.īecause managing secrets securely in Docker containers is a relatively common need for many Docker users, it was to widespread acclaim that Docker introduced a new mechanism for managing sensitive data with Docker Secrets in version 1.13. Now, the recommended way is to generate a one-time password upon first run using the MYSQL_RANDOM_ROOT_PASSWORD and MYSQL_ONETIME_PASSWORD variables, and then set a secure password after the container initialization is complete. The environment variable would also expose where it can be accessed on the host system. We’ll leave it as an exercise for the reader to find out how and why suffice it to say that we strongly discourage this way of doing it in any kind of setting where security is of any concern whatsoever.īind-mounting a password file will avoid some of the exposure, but the file would still have to be stored on the host system. When running a Docker container, its environment variables are exposed to both the host system and to the container itself, leaving the password at very high risk of exposure. Specifying the password directly using MYSQL_ROOT_PASSWORD is the least secure option. The recommended way on MySQL 5.6 and newer is to use MYSQL_RANDOM_ROOT_PASSWORD in conjunction with MYSQL_ONETIME_PASSWORD, and we’ll briefly explain why this is so. The typical ways to set the root password are 1) specifying the password directly using the MYSQL_ROOT_PASSWORD environment variable 2) bind-mounting a password file into the container, and have MYSQL_ROOT_PASSWORD point to this file, and 3) setting the MYSQL_RANDOM_ROOT_PASSWORD in order to have MySQL generate a random root password. The MySQL Docker images have typically offered various ways to set the MySQL root password, where some methods are recommended over others. Managing runtime secrets in Docker has traditionally been hard to do securely. In this posting we will look at currently recommended ways of managing passwords in MySQL Docker containers and explore whether the recently introduced concept of Docker Secrets could play a role in this area.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |