42/42_INT_13_inception
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

abandon to use secret, it has too many consequences

Browse Source 
+ use classical env technic, but it might not be safe
This commit is contained in:
hugo gogo
2022-09-08 13:05:11 +02:00
parent 035538c95d
commit 3f7a3e2170
5 changed files with 40 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@@ -61,9 +61,11 @@
- [run docker deamon rootless](https://docs.docker.com/engine/security/rootless/) - [run docker deamon rootless](https://docs.docker.com/engine/security/rootless/)
- [dangling images '<none>'](https://projectatomic.io/blog/2015/07/what-are-docker-none-none-images/) - [dangling images '<none>'](https://projectatomic.io/blog/2015/07/what-are-docker-none-none-images/)
- [go inside docker to debug it](https://docs.docker.com/engine/reference/commandline/container_exec/) - [go inside docker to debug it](https://docs.docker.com/engine/reference/commandline/container_exec/)
- [docker debug image with "docker run -it"](https://blog.devgenius.io/how-to-debug-docker-build-6c2588401188)
- `docker exec -ti <container-name> bash` to run bash inside a running container - `docker exec -ti <container-name> bash` to run bash inside a running container
- [docker CMD vs ENTRYPOINT](https://phoenixnap.com/kb/docker-cmd-vs-entrypoint) - [docker CMD vs ENTRYPOINT](https://phoenixnap.com/kb/docker-cmd-vs-entrypoint)
- [use env variable with compose](https://docs.docker.com/compose/environment-variables/) - [use env variable with compose](https://docs.docker.com/compose/environment-variables/)
- [using DEBIAN_FRONTEND=noninteractive disouraged in dockerfile](https://bobcares.com/blog/debian_frontendnoninteractive-docker/)
###### docker pid 1 ###### docker pid 1
- nginx by default will create some child process (a master and some workers), then it quits (doc ?) - nginx by default will create some child process (a master and some workers), then it quits (doc ?)
@@ -115,8 +117,18 @@
- bind mounts are normal files anywhere on the computer, that docker container can access with absolut path and modify. They can also be modified without docker, since they are juste files - bind mounts are normal files anywhere on the computer, that docker container can access with absolut path and modify. They can also be modified without docker, since they are juste files
- volumes are only modifiable by docker, they don't need an absolut path, and they are not dependent of host architecture - volumes are only modifiable by docker, they don't need an absolut path, and they are not dependent of host architecture
###### psswd in dockerfile : ###### use password in container :
- [SO securing passwords in dockerfiles](https://stackoverflow.com/questions/22651647/docker-and-securing-passwords) - [with env variables in compose](https://docs.docker.com/compose/environment-variables/)
- [it's not safe to use arg to pass secret, since they are available through "docker history"](https://docs.docker.com/engine/reference/builder/#arg)
- [better use docker build --secret tag](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information)
- [so discussion](https://stackoverflow.com/questions/22651647/docker-and-securing-passwords)
- [engine ref secret](https://docs.docker.com/engine/reference/commandline/secret/)
- [compose secret](https://docs.docker.com/compose/compose-file/compose-file-v3/#secrets)
- [use secret with docker](https://www.rockyourcode.com/using-docker-secrets-with-docker-compose/)
- [use secret with docker SO](https://stackoverflow.com/questions/42139605/how-do-you-manage-secret-values-with-docker-compose-v3-1)
- [four ways to use secrets](https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/)
- it seems that using "secrets" only improve security for a swarm, when you must share your secrets with others, but if not the case, .env is as much secure ?
- to use secret in docker-compose, we need to use swarm, but it doesn't allow to use build, or up, so everything is different then and I don't have time to understand it fully
#### nginx #### nginx
- [nginx begginer guide](https://hub.docker.com/_/nginx/) - [nginx begginer guide](https://hub.docker.com/_/nginx/)
@@ -180,13 +192,6 @@
DROP DATABASE <name>; DROP DATABASE <name>;
``` ```
###### use password in container :
- [with env variables in compose](https://docs.docker.com/compose/environment-variables/)
- [so discussion](https://stackoverflow.com/questions/22651647/docker-and-securing-passwords)
- [docker build --secret tag](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information)
- [use secret with docker](https://www.rockyourcode.com/using-docker-secrets-with-docker-compose/)
- [use secret with docker SO](https://stackoverflow.com/questions/42139605/how-do-you-manage-secret-values-with-docker-compose-v3-1)
#### php-fpm #### php-fpm
- [](https://en.wikipedia.org/wiki/FastCGI) - [](https://en.wikipedia.org/wiki/FastCGI)

10
srcs/.env
View File

@@ -1,8 +1,8 @@
#DOMAIN_NAME=wil.42.fr #DOMAIN_NAME=wil.42.fr
## certificates ## certificates
#CERTS_=./XXXXXXXXXXXX #CERTS_=./XXXXXXXXXXXX
# # MYSQL SETUP
# MYSQL_ROOT_PASSWORD=XXXXXXXXXXXX ## MARIADB SETUP
# MYSQL_USER=XXXXXXXXXXXX DB_NAME=db_wp_inception
# MYSQL_PASSWORD=XXXXXXXXXXXX DB_USER=user_wp_inception
# [...] DB_PSWD="if you read this i will have to erase your memory"

25
srcs/docker-compose.yml
View File

@@ -9,12 +9,12 @@ version: "3.8"
services: services:
# --------------------------------- # ---------------------------------
test: # test:
build: # build:
context: ./requirements/test # context: ./requirements/test
dockerfile: Dockerfile # dockerfile: Dockerfile
image: test # image: test
container_name: mytest # container_name: mytest
# --------------------------------- # ---------------------------------
nginx: nginx:
#restart: on-failure #restart: on-failure
@@ -29,16 +29,13 @@ services:
# --------------------------------- # ---------------------------------
mariadb: mariadb:
#restart: on-failure #restart: on-failure
env_file: .env
build: build:
context: ./requirements/mariadb context: ./requirements/mariadb
dockerfile: Dockerfile args:
- DB_NAME=${DB_NAME}
- DB_USER=${DB_USER}
- DB_PSWD=${DB_PSWD}
image: mariadb image: mariadb
container_name: mymariadb container_name: mymariadb
#--secret id=mysecret,src=mysecret.txt
secrets:
- my_secret
secrets:
my_secret:
file: ./secret.txt

15
srcs/requirements/mariadb/Dockerfile
View File

@@ -1,20 +1,17 @@
FROM debian:buster FROM debian:buster
ARG DEBIAN_FRONTEND=noninteractive ARG DB_NAME
ARG DB_USER
# docker build --secret tag : https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) ARG DB_PSWD
# use secret with docker : https://www.rockyourcode.com/using-docker-secrets-with-docker-compose/)
RUN --mount=type=secret,id=my_secret cat /run/secrets/my_secret.txt
#RUN cat /run/secrets/my_secret.txt
RUN apt update && \ RUN apt update && \
apt install -y mariadb-client mariadb-server && \ apt install -y mariadb-client mariadb-server && \
rm -rf /var/lib/apt/lists/* && \ rm -rf /var/lib/apt/lists/* && \
\ \
service mysql start && \ service mysql start && \
mariadb --execute="CREATE DATABASE db_hugo_test;" && \ mariadb --execute="CREATE DATABASE ${DB_NAME};" && \
mariadb --execute="CREATE USER 'u_hugo_test'@'localhost' IDENTIFIED BY 'hello';" && \ mariadb --execute="CREATE USER '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PSWD}';" && \
mariadb --execute="GRANT ALL PRIVILEGES ON *.* TO 'u_hugo_test'@'localhost' with grant option;" mariadb --execute="GRANT ALL PRIVILEGES ON *.* TO '${DB_USER}'@'localhost' with grant option;"
CMD [ "mysqld" ] CMD [ "mysqld" ]

1
srcs/requirements/mariadb/secret.txt Normal file
View File

@@ -0,0 +1 @@
mon_super_mot_de_passe