Update documentation with recommended logback config to avoid risk of DEBUG level logs exposing user credentials

[kshpak]

Please hide user credentials when DEBUG level is used for logging. Configuration took from https://www.testcontainers.org/supported_docker_environment/logging_config/ and changed for DEBUG.
When DEBUG level logs are required for issue to be resolve this can cause unnecessary problems for users

[rnorth]

There's unfortunately nothing we can do about the apache wire level logs, which I think you're referring to.

Testcontainers itself already hides any sensitive values in its own logs, e.g.:

    16:57:06.458 DEBUG org.testcontainers.utility.RegistryAuthLocator - Cached auth found: [AuthConfig{username=richnorth, password=hidden non-blank value, auth=blank, email=null, registryAddress=index.docker.io, registryToken=blank}]
    16:57:06.458 DEBUG org.testcontainers.dockerclient.AuthDelegatingDockerClientConfig - Effective auth config [AuthConfig{username=richnorth, password=hidden non-blank value, auth=blank, email=null, registryAddress=index.docker.io, registryToken=blank}]

Or are you seeing an org.testcontainers logger emitting something sensitive?

I'm afraid if the global log level is raised to debug then other libraries logs (such as com.github.dockerjava.zerodep.shaded.org.apache.hc.client5.http.wire) will still be omitted, and need to be filtered out if sharing.

Raising the log level for just org.testcontainers to DEBUG:

<logger name="org.testcontainers" level="DEBUG"/>

would hopefully have the desired effect of showing Testcontainers' debug logs but nothing else.

I think we should add explicitly this to our documentation to make this clearer.

[kshpak]

@rnorth you're right it's mainly from com.github.dockerjava
Logs from org.testcontainers shows the username only from what I saw

[rnorth]

OK, that's something.

We will update our docs so that other people don't fall into the same trap. Sorry if this caused you inconvenience 🙇‍♂️

[kshpak]

Is this the issue for docker-java then?

[rnorth]

It's not really something that docker-java can fix either, because it's a shaded dependency. The actual upstream dependency is Apache HTTP Client (the org.apache.hc.client5.http.wire part).

As long as I can remember, Apache HTTP client has had 'wire' debug level logs which show the raw request/responses. Personally I think these being at DEBUG is a bit too verbose, but others may disagree, and I think this won't ever change.

I think what I'd propose to help our users is, in our docs (our logging recommendations):

• Explicitly turn the apache client wire level logs OFF
• Show how to change Testcontainers' logs to DEBUG level (by changing the appender not the root log level)

[edysli]

Hi! I'd like to work on this. :) Is docs/supported_docker_environment/logging_config.md the right file to modify?