Thanks for the feedback, Kolbe. On 10/23/2015 06:41 PM, Kolbe Kegel wrote:
I find the use of environment variables to hold passwords to be a really troubling feature of the way many Docker images are built and used.
I agree this is not a very good solution and we need to come up with something better, that will also work in kubernetes. If anybody knows about something handy, I'd be glad to hear about it. So far, we've just used what other images do, which is not ideal at all.
In an environment where Docker linking is not used, perhaps the environment variable problem is somewhat less severe. But I'm really troubled by this statement:
"Changing database passwords through SQL statements or any way other than through the environment variables aforementioned will cause a mismatch between the values stored in the variables and the actual passwords. Whenever a database container starts it will reset the passwords to the values stored in the environment variables."
That sounds to me like a security catastrophe.
In cases user cares about keeping the container password unknown to other containers and docker daemon itself, the stack can be initialized with some init-only root password and changed afterwards. If I understand what your concern is, it's the reset of the password, right? I guess we may change that behavior to not do anything if password is not set and data directory is already initialized. Is it something what would help here from your point of view? Honza
Kolbe
On Oct 22, 2015, at 11:26 PM, Honza Horak <hhorak@redhat.com> wrote:
For those who are interested in containers, I'd like to share a Docker image that we've produced in Red Hat in cooperation with OpenShift guys. And will be really glad for any feedback you have.
The image can be used in OpenShift or run directly. But what I find really interesting is a PoC implementation of master/slave, that is not documented as official feature yet, but it can be used as simple as that:
docker pull centos/mariadb-100-centos7
docker run -e MYSQL_MASTER_USER=master \ -e MYSQL_MASTER_PASSWORD=master \ -e MYSQL_DATABASE=db \ -e MYSQL_USER=user \ -e MYSQL_PASSWORD=foo \ -e MYSQL_ROOT_PASSWORD=rootpasswd \ -d centos/mariadb-100-centos7 mysqld-master
docker run -e MYSQL_MASTER_USER=master \ -e MYSQL_MASTER_PASSWORD=master \ -e MYSQL_DATABASE=db \ -e MYSQL_MASTER_SERVICE_NAME=<master_ip> \ -d centos/mariadb-100-centos7 mysqld-slave
More info about the image available here: https://hub.docker.com/r/centos/mariadb-100-centos7/
As said above, any feedback welcome :)
Honza
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp