Comments (11)
Thank you @tiangolo and everyone! Closing this out.
from dockerswarm.rocks.
@tiangolo do you approve of this proposed change?
from dockerswarm.rocks.
This tutorial ROCKS! [...]
I'm glad you like it!
Requiring people to type their passwords inside a command, in the middle of it, makes it a bit harder to use directly, to copy and paste it, updating just the pieces custom to each user.
Also, the ADMIN_PASSWORD
env var only persists during the current session. Once you log out of bash, it's not there anymore.
I think it's easier for more advanced users to modify the command live, like you did, to customize it to some specific requirements, than to force everyone to use some specific more complex instructions.
from dockerswarm.rocks.
It's up to you, @tiangolo. One last attempt to get you to agree with my suggestion: god forbid anyone feels like it would make sense to run all this in a screen
or tmux
session. Then the plaintext password env var could persist for a loooooooong time.
from dockerswarm.rocks.
While understanding security concerns raised by @rayrrr I have to admit, the documentation is doing good job in explaining complex concepts in very straightforward way.
To me the existing (not perfectly secure, but easy to understand and reproduce) way of dealing with passwords in this documentation seems to be good choice.
One has to admit, that perfect solutions (totally secure, efficient etc.) are great concepts but not really reachable. If one attempts to write documentation for such perfect solution, it starts growing and probably never completes. Even if it completes, than it is likely to suffer from being too extensive and difficult to understand and use, not talking about growing difficulty to maintain it.
Personally, I think, that adopting these new technologies is very likely to contribute to overall solution quality. As soon as developers get used to that, they will have enough capacity to improve on more details such as not storing credentials in env. variables.
from dockerswarm.rocks.
One more reason I brought this up in the first place: I'm going to use a boxing metaphor here. I was training once and a trainer came to me and said I was holding my guard up wrong; he showed me the right way and then said "you fight how you train." In other words, the practices you learn as a beginner are likely to stick around. This is among the reasons for my concern, since the tutorial just might be aimed at command-line-beginners. @vlcinsky I like your explanation of how to just store the hashed password in the env in #21, thanks!
from dockerswarm.rocks.
Welll, you could ask people to write out their password directly before hashing, but that would be useless, the password still appear and persist in ~/.bash_history or ~./zsh_history with both methods.
from dockerswarm.rocks.
@QuentinFAIDIDE not true; there are ways to do this that totally hide the input from stdin and thus any *history files as well. In fact, @vlcinsky wrote it up in such a way in #21. My vote is for that approach!
from dockerswarm.rocks.
@rayrrr Sure, there are ways to hide stdin, you are right, and we should do just like #21 , but you wrote in OP as your alternative method:
export HASHED_PASSWORD=$(openssl passwd -apr1 typeyourpasswordhere)
So, using this line would definitely leak pwds to *history files. No need therefore to state that my statement is 'not true', since it's as true as 1 + 1 = 2.
My vote is with you though if you want to use your idea with issue #21 passwd mitigation. That would leave nothing in history or env variables as you mentioned.
from dockerswarm.rocks.
Whoops, we meant stdout. And yes @QuentinFAIDIDE you are technically correct, all I was saying was that in #21 the typeyourpasswordhere
part is left out and that way you are prompted for a password & confirmation in a "hidden" manner.
from dockerswarm.rocks.
Thanks for the discussion here everyone! ☕
I added a note to the docs with @vlcinsky's alternative way to type passwords without putting them in an env var in: #42
from dockerswarm.rocks.
Related Issues (20)
- Swarmpit setup fails - http://db:5984 host unreachable HOT 4
- Service placement on different node makes it unreachable HOT 2
- Swarmpit on ARM HOT 1
- Let's encrypt issue HOT 2
- Setting up hostname didn't work
- 404 for grafana / prometheus requests HOT 2
- Traefik example and its labels HOT 1
- Suggestion: Start with simple stack to get Portainer running with Caddy HOT 2
- Traefik on 2 Manager Nodes HOT 4
- What are the things to look when traefik.<domain name> is not loading? HOT 2
- Any recommended FOSS projects for Docker Swarm Mode deployments? HOT 3
- Traefik : redirect all http to https HOT 4
- n/a
- nginx loadbalancer
- Custom SSL Certificate HOT 3
- [feature request] dark mode for dockerswarm.rocks HOT 1
- Traefik redundancy and DNS configuration HOT 3
- Feature Request: Explain the roles of Portainer and Swarmpit (better) HOT 1
- Is dockerswarm.rocks still maintained? HOT 14
- Everything depends on the first node despite being in swarm mode HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dockerswarm.rocks.