Docker with "Dockerize Everything" slogan to "standard software" attitude displayed in front of the world, continue to affect us for the understanding of the software. However, the reality whether as imagined so full, on the occasion of the birth of a new science and technology, is withering trend, or step by step, there are a process, the face of the sudden emergence of the Docker, is the essence of traditional software go? These both are worth thinking about.
In the "storage class Docker container plaintext password problem," a text, we appreciate the initial storage class software when combined with Docker, there is little security risk, such as the plaintext password problem.
Over the past few decades, to create a MySQL database in human-computer interaction process is completed, the process can be roughly divided into the following three steps:
Operation and maintenance personnel to create a machine, install and configure the MySQL server;
DBA is responsible for managing MySQL databases, such as MySQL database to create, delete and change permissions and so on;
Developers using the database DBA delivery, database CRUD operations.
MySQL after many years, formed above this delivery method, before Docker born without any sign of trouble. However, after the birth of Docker, MySQL Docker of the journey does not seem smooth.
As the saying goes, Docker turned out, greatly promoted the development of DevOps. While the combination of MySQL and Docker seemingly did not have a direct impact on the development of MySQL but Docker indeed accelerated the progress of the operation and maintenance, the original lengthy human-computer interaction, and multi-party coordination, and now a simple docker run commands to all carry out. Admittedly, the degree of automation has been a qualitative leap, but when we look at the automated process, we can also find some hidden dangers plaintext password problem --MySQL container.
Plaintext password problem MySQL container means: when you create a MySQL Docker container transfer MySQL storage engine by way of the password environment variables, even though MySQL password will be encrypted, but the existence of an environment variable, but password information will leak, so there Security risks.
Plaintext password solution
Plaintext password problem Docker container that the control process automation too, and the way the environment variables and inevitably use plaintext passwords recorded. In a full MySQL container creation process, environment variables, and MySQL engine password is always consistent, if we can do for MySQL users to set a password to eventually implement at the MySQL engine, but not in any environment variables that can explain in plain text password can be solved. In other words, a user set password for the MySQL container, you can bypass the environment variable. As we all know, the environment variable in Docker world is the most common way to configure the environment, and even complete container docker link between the command final communication is done through an environment variable.
We Docker Daemon created two MySQL container, the container names are MySQL1 and MySQL2, and two containers password for the MySQL engine were mysql1 and mysql2. When you create a command vessel used were:
docker run -d -e MYSQL_ROOT_PASSWORD = daocloud --name MySQL1 mysql docker run -d -e MYSQL_ROOT_PASSWORD = docker --name MySQL2 mysql
Suppose a user wishes to create a password MySQL container does not leak, and the password is daocloud. To bridge the plaintext password problem, bypassing environmental variables, we can follow the following three steps to complete.
1. Create two MySQL container MySQL1 and MySQL2, MySQL root password were daocloud and docker;
2. MySQL1 start to be completed using the docker stop command to stop MySQL1 container, volume1 MySQL1 container and all copies of it, the end-use docker rm command to remove MySQL1 container;
3. When MySQL2 boot is completed, use docker stop command to stop MySQL2 container, delete all files and MySQL2 volume2 container inside, then copy the contents to the lower volume2 volume1, eventually start MySQL2.
Through the above three steps, we delivered directly MySQL2 container. The container MySQL2 MySQL root password daocloud, namely to reach the target. Although MySQL2 container environment variables MYSQLROOTPASSWORD still docker, but MySQL engine uses a cipher text password has been transformed into daocloud, delivery finished MySQL2 container does not exist in any of the plaintext string daocloud, MySQL1 container while also no longer need to use we removed.
Implementation of the above processes can be very clever way by replacing the volume to complete the transfer of the ciphertext, while making plain the failure environment variable.
Docker and application layers
Through practice, you can verify the feasibility of the solution. However, many readers see here, can not help but have the above-mentioned programs have some doubts, whether to replace the volume is a reasonable solution.
The following point of view, I believe many people would think the same is a reasonable solution.
Plaintext password of course, is a big problem, but when the MySQL container is created, the user is fully privileged landed MySQL engine by mysql-client and other tools to achieve the changes MySQL engine root password, the end result is: password changes will also effect the volume ciphertext such acts as plaintext passwords Docker container environment variables are invalid.
Admittedly, this view also feasible. Careful analysis and comparison of the two solutions, we can see there are some obvious differences between the two.
The biggest difference, undoubtedly versatility. Replace the volume of the way, although the container creation process by adding some additional operations (such as creating two containers, starting container, replacement volume, etc.), but in general terms, the advantage is very obvious. Universal manifestation of what? In this paper, an example is MySQL container, in fact, other storage class Docker containers such as MongoDB, Redis, are able to use this approach.
In other words, for the storage class Docker packagings, Docker Daemon administrators do not need to know the inside of the vessel which is running the service, replace the volume that is mechanized operations can result in clear text password expiration. Change the password by mysql-client mode, it can only be accomplished by the user of the container, but in reality, Docker Daemon administrator and container user is likely not the same person, especially in the public cloud services. Therefore, the container out of the Docker Daemon delivery, secondary processing must be carried out by the user in order to truly meet customer needs, certainly in terms of convenience, it can not be satisfactory.
More detailed comparison, we can find: in fact, the two different implementations foothold. Replace volume is from Docker layer; and change the password is standing in the application layer of departure.
What Docker layer?
Docker is a software, the world Docker mirror, Docker Docker containers, etc., for the management of the container (such as start and stop, the environment variable settings, etc.), I think concept Docker layer.
What is the application layer?
Application layer here refers to the user within the container with the mirror or directly related to the content of the application.
Still with MySQL, for example, when you start MySQL MySQL container through a mirror, use MYSQL_ROOT_PASSWORD this environment variable. Environment variables are a Docker layer concept, the reason is very simple, Docker Daemon will mechanically all user-set environment variables applied to process container, but do not care what kind of role which specific environment variables serve in the container. Similarly, the environment variable named MYSQL_ROOT_PASSWORD is the concept of an application layer, this specific environment variables may be inside the container application process to use, and ultimately affect the inside of the container application.
By the same token, the concept of volume is a Docker layer, the specific content of the internal volume of the concept is the application layer. Therefore, to operate the container by volume, part of the operating Docker layer, it does not involve any of the contents of the application layer. Through ADVISED details inside the container application, and then make the appropriate behavior for the application process, the operation belong to the application layer.
to sum up
Plaintext password storage class Docker container problem, but in reality is: to prepare for the application layer password must be passed by Docker layer environment variable, and the final layer Docker environment variables will always be in the form of plain text in multiple legacy. Can solve the storage class Docker container volume by replacing the way from Docker layer plaintext password problem.