Dear OpenXPKI Fellows, thanks to all who joined our HandsOn session last week - I hope you enjoyed the presentation as much as we did.
As it was not the first time somebody asked for a "production docker setup" we discussed this internally and decided to request your feedback on that topic. The main reason for us not recommending docker for production at this time, is a lack of security due to unmanged file system permissions and the reliability of the tools used during the automated bootstrap. These tools are working for a standard demo case but are not really reviewed and tested, so we do not want anybody to really rely on this for a real-world PKI setup. To solve those issues we outlined two possible solutions: Option 1: Super-Simplified-Setup - we add the current default configuration into the container and expose a config directory that allows you to provide a custom setup for the profiles and likely some other basic settings like SMTP credentials and adresses and merge this in a way that creates a secure environment inside the container. Initial provisioning of the tokens should be done during an initialisation step where you provide the CA tokens on a separate mount point to the container. Option 2: Split-Configuration-Layout - we define some more mount-points / volumes to map configuration into the container and leave the initial provisioning to an educated administrator who needs to run the required commands himself. This gives you the flexibility to do almost anything inside docker you can do with a full instance but leaves some responsibility at your desk. We would be happy to get your feedback, feel free to share your personal configuration/setup/expectation so we can see how YOU are using OpenXPKI. best regards Oliver -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
