问题
A common setup with Docker: Two linux containers, one a .NET Core WebServer using EntityFramework, the other a MS-SQLServer 2017. Persistent data is being held in a Docker volume. Using docker-compose, it's not a swarm.
When starting the SQLServer container, one must provide the SA password as an environment variable to the container. However you provide that, it is possible to later read this env from outside the container using docker container inspect. Which obviously compromises security.
That leads me to two questions:
What better ways are there to provide the SA password to the SQLServer?
(discussed in another thread) The Microsoft help states that it's best to change the SA password directly after starting the container. When I do that in my WebServer code, EntityFramework is already connected with the default SA password (the one I provided as env). I can change the password easily. But how can I tell EntityFramework to reset it's ConnectionString? (more on that in the linked thread)
回答1:
- What better ways are there to provide the SA password to the SQLServer?
You need to use a single-container swarm for that. Once you do that, you can use Docker Secrets to pass in your credentials.
- The Microsoft help states that it's best to change the SA password directly after starting the container. When I do that in my WebServer code, EntityFramework is already connected with the default SA password (the one I provided as env). I can change the password easily. But how can I tell EntityFramework to reset it's ConnectionString?
A single-container swarm solves this problem automatically. Every time you update your secret, docker terminates all the containers that use the modified secret and reinitializes them with the new secret. Also, docker does it automatically. There would definitely be downtime and to prevent that, you can put two containers and start a rolling upgrade of your service.
Edit: With swarm mode, you don't have to worry about changing your docker-compose file because the same file, with some added fields, can serve as you docker-stack file.
来源:https://stackoverflow.com/questions/57968574/how-can-i-securely-provide-sa-password-to-sqlserver2017-linux-docker-container