Specifying superuser PostgreSQL password for a Doc

2020-07-03 06:57发布

问题:

When running a PostgreSQL database in a Docker container, the documentation for the official PostgreSQL Docker Image specifies that the administrator password should be set in an environmental variable like:

docker run --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword -d postgres

For those that do not want to hard-code a plain-text password in their scripts, are there more secure options to consider?

回答1:

Injecting configuration settings as environment variables is the approach to application configuration recommended by the 12 factor app website.

  • http://12factor.net/config

Alternatively you could create your own container that reads it's configuration from custom configuration file:

docker run -d mydockerapp --config mydevconfig.yaml

But really the use of environment variables has the edge in terms of flexibility because it is ubiquitous across all platforms. To make environment variables more palatable you could specify them within a file. This at least will ensure a malicious user on the same machine could not glean credentials from a process listing:

$ cat env.db 
POSTGRES_DB=myappdb
POSTGRES_USER=admin
POSTGRES_PASSWORD=pleasechangeme

$ docker run --name postgres --env-file=env.db -d postgres

Finally, I discovered that there are a number of outstanding feature requests for better secret support by docker:

  • https://github.com/docker/docker/issues/13490

In my experience convenience has a habit of trumping security, so I imagine it will take time for an acceptable solution to gain sufficient mind-share. Personally I forsee a solution emerging that emulates what the Kubernetes project is doing with encrypted data volumes:

  • https://kubernetes.io/docs/concepts/configuration/secret/