embedded ssh keys about postdock HOT 7 CLOSED

I'm thinking about where someone uses this solution off the shelf and isn't paying attention. Unfortunately, that happens more than we'd like.

The defaults in the docker-compose.yml have ssh enabled using the keys in the repo for the pgpool, backup, and initial master containers. Would it be possible to define generating the keys in the docker-compose file and initially place them on a volume to be shared between the containers? That would give you a working setup out of the box without having default keys hardcoded.

from postdock.

Good case when you should look on what you install in production 😄
But I got your point, unfortunately the maximum we can do here is to stop populating keys with docker build and don't allow to start SSH without keys. So it will enforce user of the system to create and put keys...

from postdock.

Well, the first thing is that in all of your containers you should have the same set of keys...right? otherwise they will not be able to talk. So you can't generate keys independently in all containers.

Secondly you should not enable SSH by default. There are no points to have SSH running in all of your containers.

And the last thing is that there is possibility to populate keys from ENV... but recommended way is to mount those files in your containers from secrets, so it will not be visible from env command.
Example from kubernetes

from postdock.

Or alert him about default keys....

from postdock.

Using env variables to control ssh-keys and passwords and then using the technique outlined in https://github.com/docker-library/postgres/blob/master/docker-entrypoint.sh#L4-L25

There would then be an env variable called, for example, SSH_PUBKEY which can be populated directly or the user can define a SSH_PUBKEY_FILE which will point to a file typically generated by some secrets manager. Or even by using volumes.

from postdock.

#160

from postdock.

1.8 released

from postdock.