security - 我应该如何存储 docker 凭据？

Question

首先，我想说我在安全和身份验证方面的知识非常有限。

我有一个应用程序可以从 docker store 中提取和运行容器。这是一个私有(private)仓库，所以我需要传递用户名和密码，以便用户可以拉取。在 Mac 上，登录凭据存储在钥匙串(keychain)中，用户可以打开他们的钥匙串(keychain)并以纯文本形式读取密码。如何防止这种情况，使用户看不到我的凭据？

凭据当前以纯文本形式存储在 json 中。我知道这不是一个好的做法，但即使它是加密的(就我而言)，它也必须在登录前解密，并在登录后存储在钥匙串(keychain)中，因此钥匙串(keychain)仍会存储我的凭据.

Answer 1

你可能想看看Docker secrets

In terms of Docker Swarm services, a secret is a blob of data, such as a password, SSH private key, SSL certificate, or another piece of data that should not be transmitted over a network or stored unencrypted in a Dockerfile or in your application’s source code. In Docker 1.13 and higher, you can use Docker secrets to centrally manage this data and securely transmit it to only those containers that need access to it. Secrets are encrypted during transit and at rest in a Docker swarm. A given secret is only accessible to those services which have been granted explicit access to it, and only while those service tasks are running.

Docker secrets are only available to swarm services, not to standalone containers. To use this feature, consider adapting your container to run as a service. Stateful containers can typically run with a scale of 1 without changing the container code.