Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I want to pass a secret value needed by an app that runs in a Docker container.

ID: 658445 • Letter: I

Question

I want to pass a secret value needed by an app that runs in a Docker container. This particular container is short-lived -- it starts up, runs a command, and then terminates.

Method 1: Pass the value as an environment variable via the command line when starting the container (Docker supports this as a command line argument to starting a container). I feel like this is bad since the command will show up in process lists (with the key and all) on the host machine that started the docker container.

Method 2: Pass the value as an env variable via an env variable file. This solves the process list issue, but running docker info on the running container from the host shows a list of all the environment variables set for that container. This makes me believe Docker is storing these somewhere on disk on the host that is unsafe (since adding a new environment variable in the running container does not update this list, it must not be reading it directly in real-time).

In general, I feel like environment variables are not adequate to securely store secret data (even if only temporarily), but I do not have enough knowledge to back up this thought.

What is a secure method for passing secret data to a container?

Explanation / Answer

Environment variables are the best way to do this, specifically method 2. Docker, by default, does not allow itself to be run by users other than root. Access to the socket is prohibited. I'd say method 2 is reasonably safe, as out of the box if an attacker has root access (and can poke around in your docker containers) you're already in bad shape.

Two Docker security notes in general. Be super cautious with enabling the API, as by default there is no encryption or authentication. They have a way to use certs and TLS that they documented, but proceed with caution.

Also, if possible enable SELinux on your server. Newer versions of it are able to actually see docker containers and automatically build security contexts for each one. This prevents a container compromise from easily moving back into the host. By default docker runs as the root user, and even with the USER directive it still interfaces directly with the kernel unlike a VM. This exposes the host to any local privilege exploit as soon as a docker container is compromised.

Related Questions

I want to know if you learned anything this semester. I can compare your protest
Question #3459474
I want to know is this is correct?Explain CA1.adjacencies = new Edge[]{ new Edge
Question #3777636
I want to know more specific about comparing the basic earnings per share by yea
Question #2492381
I want to know the relationship between inventory turnover ratio and allowance f
Question #2542154
I want to know the sequence of make the following product. Arrange the following
Question #932652
I want to know this in particular about animals that no longer eat what they use
Question #31782
I want to know total revenue, total cost, profit. Jinky\'s Day Care Jinky Austri
Question #2543902
I want to know what is the physics behind a crystal radio What does the resistor
Question #1563376
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I want to parse SVG files in C++ on OS X, and I need a library. It should be sim
Next
I want to pass an array by reference from the main functonand the the result com

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.