embedded ssh keys #74
Comments
|
Well, the first thing is that in all of your containers you should have the same set of keys...right? otherwise they will not be able to talk. So you can't generate keys independently in all containers. Secondly you should not enable SSH by default. There are no points to have SSH running in all of your containers. And the last thing is that there is possibility to populate keys from ENV... but recommended way is to mount those files in your containers from secrets, so it will not be visible from |
|
I'm thinking about where someone uses this solution off the shelf and isn't paying attention. Unfortunately, that happens more than we'd like. The defaults in the docker-compose.yml have ssh enabled using the keys in the repo for the pgpool, backup, and initial master containers. Would it be possible to define generating the keys in the docker-compose file and initially place them on a volume to be shared between the containers? That would give you a working setup out of the box without having default keys hardcoded. |
|
Good case when you should look on what you install in production 😄 |
|
Or alert him about default keys.... |
|
Using env variables to control ssh-keys and passwords and then using the technique outlined in https://github.com/docker-library/postgres/blob/master/docker-entrypoint.sh#L4-L25 There would then be an env variable called, for example, SSH_PUBKEY which can be populated directly or the user can define a SSH_PUBKEY_FILE which will point to a file typically generated by some secrets manager. Or even by using volumes. |
|
1.8 released |
There is an ssh private key committed to the repo. There is a note in the readme about changing it, but it's not very visible. Is it possible to generate the keys on the fly and add them to a volume by default? I.e. the first time you run docker-compose it creates a volume, generates the keys on the volume, and mounts it in .ssh of all the containers?
The text was updated successfully, but these errors were encountered: