Thanks for the feedback, Kolbe.
On 10/23/2015 06:41 PM, Kolbe Kegel wrote:
I find the use of environment variables to hold passwords to be a really
troubling feature of the way many Docker images are built and used.
I agree this is not a very good solution and we need to come up with
something better, that will also work in kubernetes. If anybody knows
about something handy, I'd be glad to hear about it. So far, we've just
used what other images do, which is not ideal at all.
In an environment where Docker linking is not used, perhaps the environment
variable problem is somewhat less severe. But I'm really troubled by this
statement:
"Changing database passwords through SQL statements or any way other than
through
the environment variables aforementioned will cause a mismatch between the
values stored in the variables and the actual passwords. Whenever a database
container starts it will reset the passwords to the values stored in the
environment variables."
That sounds to me like a security catastrophe.
In cases user cares about keeping the container password unknown to
other containers and docker daemon itself, the stack can be initialized
with some init-only root password and changed afterwards. If I
understand what your concern is, it's the reset of the password, right?
I guess we may change that behavior to not do anything if password is
not set and data directory is already initialized. Is it something what
would help here from your point of view?
Honza
Kolbe
On Oct 22, 2015, at 11:26 PM, Honza Horak <[email protected]> wrote:
For those who are interested in containers, I'd like to share a Docker image
that we've produced in Red Hat in cooperation with OpenShift guys. And will be
really glad for any feedback you have.
The image can be used in OpenShift or run directly. But what I find really
interesting is a PoC implementation of master/slave, that is not documented as
official feature yet, but it can be used as simple as that:
docker pull centos/mariadb-100-centos7
docker run -e MYSQL_MASTER_USER=master \
-e MYSQL_MASTER_PASSWORD=master \
-e MYSQL_DATABASE=db \
-e MYSQL_USER=user \
-e MYSQL_PASSWORD=foo \
-e MYSQL_ROOT_PASSWORD=rootpasswd \
-d centos/mariadb-100-centos7 mysqld-master
docker run -e MYSQL_MASTER_USER=master \
-e MYSQL_MASTER_PASSWORD=master \
-e MYSQL_DATABASE=db \
-e MYSQL_MASTER_SERVICE_NAME=<master_ip> \
-d centos/mariadb-100-centos7 mysqld-slave
More info about the image available here:
https://hub.docker.com/r/centos/mariadb-100-centos7/
As said above, any feedback welcome :)
Honza
_______________________________________________
Mailing list: https://launchpad.net/~maria-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~maria-discuss
More help : https://help.launchpad.net/ListHelp
_______________________________________________
Mailing list: https://launchpad.net/~maria-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~maria-discuss
More help : https://help.launchpad.net/ListHelp
