-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can use Docker secrets without Docker Swarm #588
Comments
Thanks @chughts. @RamSubbarao could you please update this doc? Relevant link confirming that Docker Compose can also be used: https://docs.docker.com/compose/how-tos/use-secrets/ |
Thanks @arthurbarr Some additional notes: I think an improved example of creating a secret would be:
A Posix of
|
@chughts why do you suggest that creating the secret via an environment variable would be an improvement? The reason we're moving away from environment variables in the first place, is that they're considered insecure. I agree that the stdin method is also insecure, but the secure ways of doing it (e.g. via GPG) are more cumbersome. |
on one line only, the password is in an environment variable only for the length of time it takes to construct the secret. Whereas piping it into a file, requires removal of the file. scratch that, its the equivalent of
but imho easier on the eye.
and is an environment variable only for the length of time it takes to construct the secret. |
Yes, it's only for a short time, but then with the printf technique it's never in the environment (but would be in the |
By the way, why the DEVELOPER image doesn't just has default password "passw0rd" ? And only when you need to override it, to play around with secrets, docker-compose, swarm....? |
IBM no longer uses default credentials for security reasons. For example, it can be too easy to accidentally use a developer image in a production environment and compromise your system, or to be unaware of the default credential (there are many network endpoints which could have such credentials, even in MQ), and thus create a vulnerability. |
The statement
in
docs/developer-config.md
is not true.It is also possible to use
compose
with both Docker and Podman the secrets end up in the same place/run/secrets
. Though this does necessitate a docker-compose.yaml file.The text was updated successfully, but these errors were encountered: