maria-discuss team mailing list archive

Thread
Date

Re: CentOS Docker Container Image not only for OpenShift

To: Honza Horak <hhorak@xxxxxxxxxx>
From: Otto Kekäläinen <otto@xxxxxxxxx>
Date: Sat, 24 Oct 2015 14:54:17 +0300
Cc: MariaDB discuss <maria-discuss@xxxxxxxxxxxxxxxxxxx>, Kolbe Kegel <kolbe.kegel@xxxxxxxxxxx>
In-reply-to: <562A8B12.5040408@redhat.com>

2015-10-23 22:31 GMT+03:00 Honza Horak <hhorak@xxxxxxxxxx>:
>> That sounds to me like a security catastrophe.
>
>
> In cases user cares about keeping the container password unknown to other
> containers and docker daemon itself, the stack can be initialized with some
> init-only root password and changed afterwards. If I understand what your
> concern is, it's the reset of the password, right? I guess we may change
> that behavior to not do anything if password is not set and data directory
> is already initialized. Is it something what would help here from your point
> of view?

Suggestion: use unix_socket for mysql root as the authentication
method, and you don't need a password for it at all, thus avoiding the
password management problem when creating the container.

Once to container is running, ssh into the centos7-mariadb-container
and create the user accounts with the passwords you need. You don't
need to store them as part of the container in plain-text anywhere,
just save them at the other end of the connection where it is actually
needed.



Create docker container for master mysqld:

docker run -e MYSQL_DATABASE=db -d centos/mariadb-100-centos7 mysqld-master

Create users into the newly bootstrapped database:

docker exec -it <container id> mysql -u root -e 'create user appuser
identified by password.....' db
docker exec -it <container id> mysql -u root -e 'create user slaveuser
identified by password.....' db


Alternatively you could create these users directly into the database
before running it in a container, or they might exist already when you
run the container on an old database. You anyway need to factor in
that the database must be on a data volume and that you will be
restarting the mysqld container using the same 'docker run' command
above.

Then you save the appuser and slaveuser credentials into your
provisioning system and use them when you start the apps or slaves
that want to connect to you master mysqld container.

Slaves could start with:
  docker run -e MYSQL_MASTER_USER=slaveuser \
             -e MYSQL_MASTER_PASSWORD=<xxx> \
             -e MYSQL_DATABASE=db \
             -e MYSQL_MASTER_SERVICE_NAME=<master_ip> \
             -d centos/mariadb-100-centos7 mysqld-slave

One password is still here, but it might be required here so that the
slave can reconnect any any time. Storing the password somehow in a
file on the slave container would perhaps be the best avenue to solve
the insecure env variables issue.


Note: I haven't actually tested if this really works, I am just throwing ideas.

References

CentOS Docker Container Image not only for OpenShift
From: Honza Horak, 2015-10-23
Re: CentOS Docker Container Image not only for OpenShift
From: Honza Horak, 2015-10-23