0

One question, how do you handle secrets inside dockerfile without using docker swarm. Let's say, you have some private repo on npm and restoring the same using .npmrc inside dockerfile by providing credentials. After package restore, obviously I am deleting .npmrc file from container. Similarly, it goes for NuGet.config as well for restoring private repos inside container. Currently, I am supplying these credentials as --build-arg while building the dockerfile.

But command like docker history --no-trunc will show the password in the log. Is there any decent way to handle this. Currently, I am not on kubernetes. Hence, need to handle the same in docker itself.

One way I can think of is mounting the /run/secrets/ and storing the same inside either by using some text file containing password or via .env file. But then, this .env file has to be part of pipeline to complete the CI/CD process, which means it has to be part of source control. Is there any way to avoid this or something can be done via pipeline itself or any type of encryption/decryption logic can be applied here?

Thanks.

Thanks.

rahulsahay19
  • 144
  • 1
  • 10

2 Answers2

1

First, keep in mind that files deleted in one layer still exist in previous layers. So deleting files doesn't help either.

There are three ways that are secure:

  1. Download all code in advance outside of the Docker build, where you have access to the secret, and then just COPY in the stuff you downloaded.

  2. Use BuildKit, which is an experimental Docker feature that enables secrets in a secure way (https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information).

  3. Serve secrets from a network server running locally (e.g. in another container). See here for detailed explanation of how to do so: https://pythonspeed.com/articles/docker-build-secrets/

Itamar Turner-Trauring
  • 3,430
  • 1
  • 13
  • 17
  • Hi, Thanks for the response. Regarding step 1, if you can tell some working sample that will be great help. And, is this approach also works well with CI/CD approach. Thanks. – rahulsahay19 Jan 28 '20 at 05:26
  • `git clone github.com/myprivate/project.git` in the shell, and then `COPY project .` in the Dockerfile. – Itamar Turner-Trauring Jan 28 '20 at 12:54
0

Let me try to explain docker secret here.

  1. Docker secret works with docker swarm. For that you need to run

$ docker swarm init --advertise-addr=$(hostname -i)

It makes the node as master. Now you can create your secret here like: - crate a file /db_pass and put your password in this file.

$docker secret create db-pass /db_pass

this creates your secret. Now if you want to list the secrets created, run command

$ docker secret ls

Lets use secret while running the service: -

$docker service create --name mysql-service --secret source=db_pass,target=mysql_root_password --secret source=db_pass,target=mysql_password -e MYSQL_ROOT_PASSWORD_FILE="/run/secrets/mysql_root_password"  -e MYSQL_PASSWORD_FILE="/run/secrets/mysql_password"      -e MYSQL_USER="wordpress"      -e MYSQL_DATABASE="wordpress"      mysql:latest

In the above command /run/secrets/mysql_root_password and /run/secrets/mysql_password files location is from container which stores the source file (db_pass) data

source=db_pass,target=mysql_root_password ( it creates file /run/secrets/mysql_root_password inside the container with db_pass value)

source=db_pass,target=mysql_password (it creates file /run/secrets/mysql_password inside the container with db_pass value)

See the screenshot from container which container secret file data: - enter image description here

Shashikant Pandit
  • 2,752
  • 22
  • 29