HI, I've just opened bug 1687922 "httpd container image contains private key localhost.key and localhost.crt".
-- *When using the RedHat image for httpd (from https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/httpd-24-rhel7/images/2.4-85 <https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/httpd-24-rhel7/images/2.4-85>), a private key for a certificate is stored in path /etc/pki/tls/private/localhost.key. The RedHat Container Image Guideline (https://docs.openshift.com/container-platform/3.9/creating_images/guidelines.html#openshift-specific-guidelines <https://docs.openshift.com/container-platform/3.9/creating_images/guidelines.html#openshift-specific-guidelines>) states that:```It is also possible and recommended to pass secrets such as certificates and keys into the container using environment variables. This ensures that the secret values do not end up committed in an image and leaked into a Docker registry.```* -- Now all the containers based on rhscl/httpd-24-rhel7 have the same certificate (private key and cert). And this is a high security risk. I think the best solution is to remove the certificate in the base image, and create a init script to generate a new certificate. This way we ensure security (no certificates in the base image), and usability (if we just remove the certificate, then https will not work by default as there is no certificate). Regards, -- Alberto Gonzalez de Dios OPENSHIFT PROACTIVE SUPPORT ENGINEER, RHCE, RHCSA Red Hat EMEA <https://www.redhat.com> Paseo de la Castellana, 259C Madrid, Spain algon...@redhat.com <https://red.ht/sig> @RedHat <https://twitter.com/redhat> Red Hat <https://www.linkedin.com/company/red-hat> Red Hat <https://www.facebook.com/RedHatInc> -- Alberto Gonzalez de Dios OPENSHIFT PROACTIVE SUPPORT ENGINEER, RHCE, RHCSA Red Hat EMEA <https://www.redhat.com> Paseo de la Castellana, 259C Madrid, Spain algon...@redhat.com <https://red.ht/sig> @RedHat <https://twitter.com/redhat> Red Hat <https://www.linkedin.com/company/red-hat> Red Hat <https://www.facebook.com/RedHatInc>
_______________________________________________ SCLorg mailing list SCLorg@redhat.com https://www.redhat.com/mailman/listinfo/sclorg
