diff --git a/README.md b/README.md index 64cd3b0..109f787 100644 --- a/README.md +++ b/README.md @@ -61,9 +61,11 @@ - [run docker deamon rootless](https://docs.docker.com/engine/security/rootless/) - [dangling images ''](https://projectatomic.io/blog/2015/07/what-are-docker-none-none-images/) - [go inside docker to debug it](https://docs.docker.com/engine/reference/commandline/container_exec/) +- [docker debug image with "docker run -it"](https://blog.devgenius.io/how-to-debug-docker-build-6c2588401188) - `docker exec -ti bash` to run bash inside a running container - [docker CMD vs ENTRYPOINT](https://phoenixnap.com/kb/docker-cmd-vs-entrypoint) - [use env variable with compose](https://docs.docker.com/compose/environment-variables/) +- [using DEBIAN_FRONTEND=noninteractive disouraged in dockerfile](https://bobcares.com/blog/debian_frontendnoninteractive-docker/) ###### docker pid 1 - nginx by default will create some child process (a master and some workers), then it quits (doc ?) @@ -115,8 +117,18 @@ - bind mounts are normal files anywhere on the computer, that docker container can access with absolut path and modify. They can also be modified without docker, since they are juste files - volumes are only modifiable by docker, they don't need an absolut path, and they are not dependent of host architecture - ###### psswd in dockerfile : - - [SO securing passwords in dockerfiles](https://stackoverflow.com/questions/22651647/docker-and-securing-passwords) + ###### use password in container : + - [with env variables in compose](https://docs.docker.com/compose/environment-variables/) + - [it's not safe to use arg to pass secret, since they are available through "docker history"](https://docs.docker.com/engine/reference/builder/#arg) + - [better use docker build --secret tag](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) + - [so discussion](https://stackoverflow.com/questions/22651647/docker-and-securing-passwords) + - [engine ref secret](https://docs.docker.com/engine/reference/commandline/secret/) + - [compose secret](https://docs.docker.com/compose/compose-file/compose-file-v3/#secrets) + - [use secret with docker](https://www.rockyourcode.com/using-docker-secrets-with-docker-compose/) + - [use secret with docker SO](https://stackoverflow.com/questions/42139605/how-do-you-manage-secret-values-with-docker-compose-v3-1) + - [four ways to use secrets](https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/) + - it seems that using "secrets" only improve security for a swarm, when you must share your secrets with others, but if not the case, .env is as much secure ? + - to use secret in docker-compose, we need to use swarm, but it doesn't allow to use build, or up, so everything is different then and I don't have time to understand it fully #### nginx - [nginx begginer guide](https://hub.docker.com/_/nginx/) @@ -180,13 +192,6 @@ DROP DATABASE ; ``` - ###### use password in container : - - [with env variables in compose](https://docs.docker.com/compose/environment-variables/) - - [so discussion](https://stackoverflow.com/questions/22651647/docker-and-securing-passwords) - - [docker build --secret tag](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) - - [use secret with docker](https://www.rockyourcode.com/using-docker-secrets-with-docker-compose/) - - [use secret with docker SO](https://stackoverflow.com/questions/42139605/how-do-you-manage-secret-values-with-docker-compose-v3-1) - #### php-fpm - [](https://en.wikipedia.org/wiki/FastCGI) diff --git a/srcs/.env b/srcs/.env index 24739c7..addc6b0 100644 --- a/srcs/.env +++ b/srcs/.env @@ -1,8 +1,8 @@ -# DOMAIN_NAME=wil.42.fr -# # certificates -# CERTS_=./XXXXXXXXXXXX -# # MYSQL SETUP -# MYSQL_ROOT_PASSWORD=XXXXXXXXXXXX -# MYSQL_USER=XXXXXXXXXXXX -# MYSQL_PASSWORD=XXXXXXXXXXXX -# [...] +#DOMAIN_NAME=wil.42.fr +## certificates +#CERTS_=./XXXXXXXXXXXX + +## MARIADB SETUP +DB_NAME=db_wp_inception +DB_USER=user_wp_inception +DB_PSWD="if you read this i will have to erase your memory" diff --git a/srcs/docker-compose.yml b/srcs/docker-compose.yml index c4cfd11..7de12fc 100644 --- a/srcs/docker-compose.yml +++ b/srcs/docker-compose.yml @@ -9,12 +9,12 @@ version: "3.8" services: # --------------------------------- - test: - build: - context: ./requirements/test - dockerfile: Dockerfile - image: test - container_name: mytest +# test: +# build: +# context: ./requirements/test +# dockerfile: Dockerfile +# image: test +# container_name: mytest # --------------------------------- nginx: #restart: on-failure @@ -29,16 +29,13 @@ services: # --------------------------------- mariadb: #restart: on-failure + env_file: .env build: context: ./requirements/mariadb - dockerfile: Dockerfile + args: + - DB_NAME=${DB_NAME} + - DB_USER=${DB_USER} + - DB_PSWD=${DB_PSWD} image: mariadb container_name: mymariadb - #--secret id=mysecret,src=mysecret.txt - secrets: - - my_secret - -secrets: - my_secret: - file: ./secret.txt diff --git a/srcs/requirements/mariadb/Dockerfile b/srcs/requirements/mariadb/Dockerfile index bbbb8ca..9b0034a 100644 --- a/srcs/requirements/mariadb/Dockerfile +++ b/srcs/requirements/mariadb/Dockerfile @@ -1,20 +1,17 @@ FROM debian:buster -ARG DEBIAN_FRONTEND=noninteractive - -# docker build --secret tag : https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) -# use secret with docker : https://www.rockyourcode.com/using-docker-secrets-with-docker-compose/) -RUN --mount=type=secret,id=my_secret cat /run/secrets/my_secret.txt -#RUN cat /run/secrets/my_secret.txt +ARG DB_NAME +ARG DB_USER +ARG DB_PSWD RUN apt update && \ apt install -y mariadb-client mariadb-server && \ rm -rf /var/lib/apt/lists/* && \ \ service mysql start && \ - mariadb --execute="CREATE DATABASE db_hugo_test;" && \ - mariadb --execute="CREATE USER 'u_hugo_test'@'localhost' IDENTIFIED BY 'hello';" && \ - mariadb --execute="GRANT ALL PRIVILEGES ON *.* TO 'u_hugo_test'@'localhost' with grant option;" + mariadb --execute="CREATE DATABASE ${DB_NAME};" && \ + mariadb --execute="CREATE USER '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PSWD}';" && \ + mariadb --execute="GRANT ALL PRIVILEGES ON *.* TO '${DB_USER}'@'localhost' with grant option;" CMD [ "mysqld" ] diff --git a/srcs/requirements/mariadb/secret.txt b/srcs/requirements/mariadb/secret.txt new file mode 100644 index 0000000..1b01264 --- /dev/null +++ b/srcs/requirements/mariadb/secret.txt @@ -0,0 +1 @@ +mon_super_mot_de_passe